Page MenuHomePhabricator

makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960)
Closed, ResolvedPublicSecurity

Description

The code <span class="mw-collapsible" id="mw-customcollapsible-x,body">a</span>, when placed on a wiki page, causes the body element to undergo several changes: It has the mw-customtoggle class and tabindex=0 applied to it, along with several event handlers being attached which collapse or expand a particular element (many of these handlers suppressing normal behaviour). The "body" can be replaced with any CSS selector, including, for example "*", which will then have the effects apply to all elements matching the selector.

The source of this is presumably https://phabricator.wikimedia.org/source/mediawiki/browse/master/resources/src/jquery/jquery.makeCollapsible.js$246

(I don't think this bug matters much on its own, but I'm a bit concerned about what bugs this could be combined with to open up some worrisome possibilities. Sorry if this isn't the kind of thing that should be labelled a security issue, I'm not sure what the boundaries are.)

Event Timeline

Yair_rand created this task.Mar 2 2020, 3:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2020, 3:28 AM

Thanks for reporting this. You can use security issues for anything even slightly concerning that you don't want to make public.

Note that you need to use $wgFragmentMode = [ 'html5', 'legacy' ]; (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.

I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.

Potential fix is to use $.escapeSelector:

chasemp assigned this task to sbassett.Mar 2 2020, 4:36 PM
chasemp triaged this task as Low priority.
chasemp moved this task from Incoming to In Progress on the Security-Team board.

Note that you need to use $wgFragmentMode = [ 'html5', 'legacy' ]; (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.

It wasn't immediately clear to me, but the order of the array values appears to matter. When $wgFragmentMode is set to [ 'legacy', 'html5' ] (its default), it defangs the bad id whereas setting it to [ 'html5', 'legacy' ] or [ 'html5' ] does not.

I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.

Potential fix is to use $.escapeSelector:

I'd agree that this would likely be difficult to exploit in any serious way, though we did just have a different UI issue with security implications (T232932). Patch looks good and tests fine. I think I'm going to deploy it now during the remainder of the weekly security deployment window.

Deployed to wmf.21. Seems fine on testwiki.

Reedy closed this task as Resolved.Mar 24 2020, 5:13 PM
Reedy added a subscriber: Reedy.

Patch applies cleanly to master, REL1_34, REL1_33 and REL1_31. Closing as release is coming this week

sbassett renamed this task from makeCollapsible allows applying event handler to any CSS selector to makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960).Mar 26 2020, 3:40 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 5:42 PM

Change 583697 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583697

Change 583700 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583700

Change 583703 merged by jenkins-bot:
[mediawiki/core@REL1_34] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583703

Change 583708 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583708