XSS in Visual Editor via Copy&Paste (CVE-2019-19708)
Closed, ResolvedPublic
Actions

Description

Reported to security@

Hey,

I have identified a security issue in Wikimedia Visual Editor, which
makes it possible to perform a cross-site scripting attack via copy&paste.

Here's a proof of concept:

1. Go to https://jsbin.com/lulixuhaxu/edit?html,output
2. Press "Copy" on the right side.
3. Go to Visual Editor on Wikipedia (for instance:
https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&action=edit)
4. Paste the content.
5. Alert appears!

I've confirmed the exploit works in Firefox and Chrome, while it doesn't
work for Safari.

The snippet of HTML that's relevant for the exploit is:

        Hello<div data-ve-clipboard-key="useClipboardData-0"><img src
onerror="alert(1)">!

Basically, Visual Editor processes and sanitizes the pasted content, by
copying it to a <div> element with class="ve-ce-surface-paste". The code
is presanitzed by the browser and by VE itself.

However, when the pasted content contains an element with attribute
data-ve-clipboard-key [1], then it is assigned to a variable called
clipboardKey.

Later, if clipboardKey is equal to "useClipboardData-0" [2], VE decides
that it works with the unsanitized markup. Then, the code is imported to
the document via a few document.importNode calls, executing the XSS.

I think the fix should be to sanitize the content when using
beforePasteData.html to handle pasted content.


Cheers,
Michał

[1]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2330
[2]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2505

Details

Subject	Repo	Branch	Lines +/-
Update VE core submodule to REL1_34 HEAD (a00498275)	mediawiki/extensions/VisualEditor	REL1_34	+9 -8
Sanitize HTML on paste	VisualEditor/VisualEditor	REL1_34	+55 -37
Update VE core submodule to REL1_33 HEAD (e665abb55)	mediawiki/extensions/VisualEditor	REL1_33	+10 -8
Sanitize HTML on paste	VisualEditor/VisualEditor	REL1_33	+55 -37
Update VE core submodule to master (3b3dcad84)	mediawiki/extensions/VisualEditor	master	+9 -8
Update VE core submodule to wmf/1.35.0-wmf.5 HEAD (1d3a49454)	mediawiki/extensions/VisualEditor	wmf/1.35.0-wmf.5	+9 -8
Update VE core submodule to wmf/1.35.0-wmf.8 HEAD (bb0a266ff)	mediawiki/extensions/VisualEditor	wmf/1.35.0-wmf.8	+9 -8
Sanitize HTML on paste	VisualEditor/VisualEditor	wmf/1.35.0-wmf.5	+57 -50
Sanitize HTML on paste	VisualEditor/VisualEditor	wmf/1.35.0-wmf.8	+57 -50
Sanitize HTML on paste	VisualEditor/VisualEditor	master	+57 -50

Customize query in gerrit

Related Objects

Mentioned In: T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2)
Mentioned Here: rGVEDa00498275c88: Sanitize HTML on paste
rGVEDe665abb55b57: Sanitize HTML on paste
T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2)

Event Timeline

Reedy created this task.Nov 26 2019, 10:02 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2019, 10:02 AM

Reedy added projects: Vuln-XSS, VisualEditor, VisualEditor-CopyPaste.Nov 26 2019, 10:03 AM

CC'ing @Securitymb as reporter

sbassett triaged this task as High priority.Nov 26 2019, 3:32 PM

sbassett moved this task from Backlog / Other to Other WMF team on the acl*security board.

sbassett added a project: Security-Team.

sbassett moved this task from Incoming to Watching on the Security-Team board.

Jdforrester-WMF added subscribers: • Esanders, matmarex.Nov 26 2019, 5:01 PM

• Esanders added subscribers: DLynch, Catrope, dchan.Nov 26 2019, 6:27 PM

matmarex added subscribers: ppelberg, JTannerWMF.Nov 27 2019, 4:04 PM

dchan claimed this task.Nov 27 2019, 4:57 PM

Krinkle subscribed.Nov 27 2019, 8:54 PM

• marcella edited projects, added VisualEditor (Current work); removed VisualEditor.Dec 2 2019, 4:39 PM

• marcella moved this task from Incoming to In progress on the VisualEditor (Current work) board.

This patchset should fix ithe security issue: https://gerrit.wikimedia.org/r/553888

@dchan - thanks for the patch, but could we work to get this merged and deployed soon? This is a security-protected task due to it being a live XSS on all of the projects. We'd typically post the patch on the task for a security-deploy and then backport and make it public.

Apologies @sbassett , I judged the patch wasn't particularly revealing but maybe that wasn't really my call. Given it's already up, should we now proceed as we would with a non-security-related UBN?

Now manually deployed to wmf.5 and wmf.8, and landed in master. Do we want to announce this, or just Resolve it publicly?

Jdforrester-WMF moved this task from In progress to Product owner review on the VisualEditor (Current work) board.Dec 3 2019, 2:00 AM

@Jdforrester-WMF, @dchan - Thanks for the quick action! I think we can make the task public and then resolve it tomorrow after the standard follow-up steps have been completed: backports and a CVE. I'll also track it here: T234983.

Update: I tried picking master to REL1_34 in gerrit and got a merge conflict. Not sure why - I'm not seeing any outstanding patches. And I'm not seeing any release branches for 1.31, 1.32 and 1.33. I see the various wmf/ branches for those releases in the repo, but not the REL1_xx branches to which we typically backport.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 3 2019, 2:18 AM

sbassett moved this task from Other WMF team to Patch needing revision/discussion on the acl*security board.

sbassett mentioned this in T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2).Dec 3 2019, 3:02 AM

In T239209#5707744, @sbassett wrote:

Update: I tried picking master to REL1_34 in gerrit and got a merge conflict. Not sure why - I'm not seeing any outstanding patches. And I'm not seeing any release branches for 1.31, 1.32 and 1.33. I see the various wmf/ branches for those releases in the repo, but not the REL1_xx branches to which we typically backport.

We ran into merge conflicts just cherry-picking to wmf.5; it seems very unlikely that you'll successfully pick back to REL1_34, let alone anything older.

Update: I've requested a CVE for this. I'll update the task title and T234983 once I have the ID. Regarding the backports, it would be nice to do those for 1.31-1.34, but if that's just not feasible, then it's probably not worth the effort. Has there been any effort to get those branches into better health?

sbassett moved this task from Patch needing revision/discussion to Done on the acl*security board.Dec 10 2019, 9:41 PM

sbassett moved this task from Backlog to In Progress on the user-sbassett board.

Change 556295 had a related patch set uploaded (by Jforrester; owner: Divec):
[VisualEditor/VisualEditor@REL1_34] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556295

gerritbot added a project: Patch-For-Review.Dec 11 2019, 12:08 AM

Change 556296 had a related patch set uploaded (by Jforrester; owner: Divec):
[VisualEditor/VisualEditor@REL1_33] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556296

sbassett renamed this task from XSS in Visual Editor via Copy&Paste to XSS in Visual Editor via Copy&Paste (CVE-2019-19708).Dec 11 2019, 2:59 PM

sbassett moved this task from In Progress to Done on the user-sbassett board.Dec 11 2019, 4:58 PM

Change 556296 merged by jenkins-bot:
[VisualEditor/VisualEditor@REL1_33] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556296

Change 557637 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/VisualEditor@REL1_33] Update VE core submodule to REL1_33 HEAD (e665abb55)

https://gerrit.wikimedia.org/r/557637

Change 557637 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@REL1_33] Update VE core submodule to REL1_33 HEAD (e665abb55)

https://gerrit.wikimedia.org/r/557637

Change 556295 merged by jenkins-bot:
[VisualEditor/VisualEditor@REL1_34] Sanitize HTML on paste

https://gerrit.wikimedia.org/r/556295

Change 557882 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[mediawiki/extensions/VisualEditor@REL1_34] Update VE core submodule to REL1_34 HEAD (a00498275)

https://gerrit.wikimedia.org/r/557882

Change 557882 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@REL1_34] Update VE core submodule to REL1_34 HEAD (a00498275)

https://gerrit.wikimedia.org/r/557882

OK, we've managed back-ports for REL1_33 and REL1_34; this is as good as we're going to manage, I'm afraid.

In T239209#5744008, @Jdforrester-WMF wrote:

OK, we've managed back-ports for REL1_33 and REL1_34; this is as good as we're going to manage, I'm afraid.

Sounds good, thanks for the extra (probably obnoxious) work here to get these done. 1.32 should be EOL'd in <= few weeks, so that just leaves 1.31, which is LTS until the middle of 2021. I'll add a special note about that when I send out T234983.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Dec 16 2019, 4:12 PM

sbassett closed this task as Resolved.Dec 17 2019, 11:12 PM

sbassett removed projects: Patch-For-Review, user-sbassett.

• chasemp added a project: Security.Feb 10 2020, 10:53 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM

XSS in Visual Editor via Copy&Paste (CVE-2019-19708)Closed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

XSS in Visual Editor via Copy&Paste (CVE-2019-19708)
Closed, ResolvedPublic
Actions