Page MenuHomePhabricator
Create Task
Maniphest T245850

Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382)
Closed, ResolvedPublicSecurity
Actions

Description

Author Affiliation: Fandom(Wikia, Gamepedia)

This issue occurs since user input is passed to a function not safe for user input.

https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Widgets/+/574041/

https://gitlab.com/hydrawiki/third-party-extensions/issues/103

The {{#widget:}} tag can invoke non-widget pages (aside from mainspace pages) by simply invoking the full page name with the widget tag e.g. {{#widget:Template:Page name}}, which can allow any user to run style and script tags on any page.
Example provided by Dragalia Lost admins:

https://dragalialost.gamepedia.com/Test2

https://dragalialost.gamepedia.com/Template:Test2/css

Details

Author Affiliation
Other (Please specify in description)

Related Objects
Search...

Event Timeline

Alexia created this task.Feb 21 2020, 5:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 21 2020, 5:40 PM
Aklapper added a project: MediaWiki-General.Feb 21 2020, 11:16 PM
chasemp triaged this task as Medium priority.Feb 24 2020, 4:09 PM
Alexia closed this task as Resolved.Feb 24 2020, 4:13 PM
Alexia claimed this task.

This has been merged.

https://github.com/wikimedia/mediawiki-extensions-Widgets/blob/master/WidgetRenderer.php#L162

sbassett reopened this task as Open.Feb 24 2020, 4:18 PM
sbassett removed Alexia as the assignee of this task.
sbassett edited projects, added MediaWiki-extensions-Widgets; removed Security-Team.
sbassett added subscribers: siebrand, Reedy.
sbassett closed this task as Resolved.EditedFeb 24 2020, 4:26 PM
sbassett assigned this task to Alexia.
sbassett subscribed.

Whoops, I think this task was being edited as the Security-Team was reviewing it :) Did the above commit get deployed to any relevant wikis (I know ext:Widget isn't part of WMF production)? That should probably happen soon since the patch for master is public. We should also try to backport this to supported release branches.

Alexia added a comment.Feb 24 2020, 4:28 PM
In T245850#5912492, @sbassett wrote:

Whoops, I think this task was being edited as the Security-Team was reviewing it :) Did the above commit get deployed to any relevant wikis (I know ext:Widget isn't part of WMF production)? That should probably happen soon since the patch for master is public. We should also try to backport this to supported release branches.

Yes, this patch is out to all gamepedia.com, wikia.org, and fandom.com wikis. I looked over WMF wikis and as far as I can tell WMF does not use Widgets.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 24 2020, 8:54 PM
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptFeb 24 2020, 8:54 PM
sbassett added a comment.Feb 24 2020, 9:01 PM

Backports:

Also added to T240400 for tracking and will request a CVE.

sbassett mentioned this in T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Feb 24 2020, 9:03 PM
Alexia updated the task description. (Show Details)Feb 24 2020, 9:24 PM
sbassett renamed this task from Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace. to Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382).Feb 24 2020, 10:19 PM
Bawolff subscribed.Feb 25 2020, 12:00 AM

The {{#widget:}} tag can invoke non-widget pages (aside from mainspace pages) by simply invoking the full page name with the widget tag e.g. {{#widget:Template:Page name}}, which can allow any user to run style and script tags on any page.

Just as a point of note, you can do mainspace pages by doubling the colon.

Bawolff added a comment.Feb 25 2020, 12:03 AM

This is a super commonly used extension in third party wikis. I think an email to mediawiki-l encouraging people to update might be a good idea.

Kghbln subscribed.Feb 25 2020, 10:12 AM

Since this is a versioned extension @Yaron_Koren may additionally want to release and tag a new version to make the need to upgrade visible even more.

sbassett added a comment.Feb 25 2020, 4:28 PM
In T245850#5914122, @Bawolff wrote:

This is a super commonly used extension in third party wikis. I think an email to mediawiki-l encouraging people to update might be a good idea.

So we've tried to be a little better about this sort of information dispersal by adding tasks like T240400 to the release process, the end result being quarterly-ish emails to relevant mailing lists (1, 2, etc). We can certainly send out something to that effect sooner (like today or tomorrow), focused on this specific issue, if you feel that is warranted.

sbassett added a parent task: T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Mar 10 2020, 2:15 PM
DannyS712 subscribed.Mar 26 2020, 5:51 PM
Ernstkm subscribed.May 26 2020, 10:55 PM
Skizzerz mentioned this in T269718: RCE in Widgets extension (CVE-2020-35625).Dec 11 2020, 6:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits