Page MenuHomePhabricator

XSS in Visual Editor via Copy&Paste (CVE-2019-19708)
Open, HighPublic

Description

Reported to security@

Hey,

I have identified a security issue in Wikimedia Visual Editor, which
makes it possible to perform a cross-site scripting attack via copy&paste.

Here's a proof of concept:

1. Go to https://jsbin.com/lulixuhaxu/edit?html,output
2. Press "Copy" on the right side.
3. Go to Visual Editor on Wikipedia (for instance:
https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&action=edit)
4. Paste the content.
5. Alert appears!

I've confirmed the exploit works in Firefox and Chrome, while it doesn't
work for Safari.

The snippet of HTML that's relevant for the exploit is:

        Hello<div data-ve-clipboard-key="useClipboardData-0"><img src
onerror="alert(1)">!

Basically, Visual Editor processes and sanitizes the pasted content, by
copying it to a <div> element with class="ve-ce-surface-paste". The code
is presanitzed by the browser and by VE itself.

However, when the pasted content contains an element with attribute
data-ve-clipboard-key [1], then it is assigned to a variable called
clipboardKey.

Later, if clipboardKey is equal to "useClipboardData-0" [2], VE decides
that it works with the unsanitized markup. Then, the code is imported to
the document via a few document.importNode calls, executing the XSS.

I think the fix should be to sanitize the content when using
beforePasteData.html to handle pasted content.


Cheers,
Michał

[1]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2330
[2]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2505

Details

Related Gerrit Patches:
VisualEditor/VisualEditor : REL1_33Sanitize HTML on paste
VisualEditor/VisualEditor : REL1_34Sanitize HTML on paste
mediawiki/extensions/VisualEditor : masterUpdate VE core submodule to master (3b3dcad84)
mediawiki/extensions/VisualEditor : wmf/1.35.0-wmf.5Update VE core submodule to wmf/1.35.0-wmf.5 HEAD (1d3a49454)
mediawiki/extensions/VisualEditor : wmf/1.35.0-wmf.8Update VE core submodule to wmf/1.35.0-wmf.8 HEAD (bb0a266ff)
VisualEditor/VisualEditor : wmf/1.35.0-wmf.5Sanitize HTML on paste
VisualEditor/VisualEditor : wmf/1.35.0-wmf.8Sanitize HTML on paste
VisualEditor/VisualEditor : masterSanitize HTML on paste

Event Timeline

Reedy created this task.Tue, Nov 26, 10:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Nov 26, 10:02 AM
sbassett triaged this task as High priority.Tue, Nov 26, 3:32 PM
sbassett moved this task from Backlog / Other to Other WMF team on the Security board.
sbassett added a project: Security-Team.
sbassett moved this task from Incoming to Watching on the Security-Team board.
dchan claimed this task.Wed, Nov 27, 4:57 PM

This patchset should fix ithe security issue: https://gerrit.wikimedia.org/r/553888

@dchan - thanks for the patch, but could we work to get this merged and deployed soon? This is a security-protected task due to it being a live XSS on all of the projects. We'd typically post the patch on the task for a security-deploy and then backport and make it public.

dchan added a comment.Tue, Dec 3, 1:00 AM

Apologies @sbassett , I judged the patch wasn't particularly revealing but maybe that wasn't really my call. Given it's already up, should we now proceed as we would with a non-security-related UBN?

Jdforrester-WMF added a subscriber: Jdforrester-WMF.

Now manually deployed to wmf.5 and wmf.8, and landed in master. Do we want to announce this, or just Resolve it publicly?

sbassett added a comment.EditedTue, Dec 3, 2:18 AM

@Jdforrester-WMF, @dchan - Thanks for the quick action! I think we can make the task public and then resolve it tomorrow after the standard follow-up steps have been completed: backports and a CVE. I'll also track it here: T234983.

Update: I tried picking master to REL1_34 in gerrit and got a merge conflict. Not sure why - I'm not seeing any outstanding patches. And I'm not seeing any release branches for 1.31, 1.32 and 1.33. I see the various wmf/ branches for those releases in the repo, but not the REL1_xx branches to which we typically backport.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Tue, Dec 3, 2:18 AM

Update: I tried picking master to REL1_34 in gerrit and got a merge conflict. Not sure why - I'm not seeing any outstanding patches. And I'm not seeing any release branches for 1.31, 1.32 and 1.33. I see the various wmf/ branches for those releases in the repo, but not the REL1_xx branches to which we typically backport.

We ran into merge conflicts just cherry-picking to wmf.5; it seems very unlikely that you'll successfully pick back to REL1_34, let alone anything older.

Update: I've requested a CVE for this. I'll update the task title and T234983 once I have the ID. Regarding the backports, it would be nice to do those for 1.31-1.34, but if that's just not feasible, then it's probably not worth the effort. Has there been any effort to get those branches into better health?

sbassett moved this task from Backlog to In Progress on the user-sbassett board.

Change 556295 had a related patch set uploaded (by Jforrester; owner: Divec):
[VisualEditor/VisualEditor@REL1_34] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556295

Change 556296 had a related patch set uploaded (by Jforrester; owner: Divec):
[VisualEditor/VisualEditor@REL1_33] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556296

sbassett renamed this task from XSS in Visual Editor via Copy&Paste to XSS in Visual Editor via Copy&Paste (CVE-2019-19708).Wed, Dec 11, 2:59 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.Wed, Dec 11, 4:58 PM