Page MenuHomePhabricator
Create Task
Maniphest T247747

mobile-apps XSS when using api/rest_v1/page/mobile-html on zh wiki, with id attribute in header
Closed, ResolvedPublicSecurity
Actions

Description

The mobile-html api endpoint does not properly escape the id attribute of heading when used on zh language projects (zh uses a different code path than other languages)

As an example, see look at the id attribute on the <h2> on https://zh.wikipedia.org/api/rest_v1/page/mobile-html/User:Bawolff%2Fsandbox [I made this look non-suspicious since its public].

PoC code

=="onmouseover="alert(document.domain)==

Issue is createHeadingHTML (in mobileapps/lib/mobile/MobileViewHTML.js) has code like:

return `<h${level} id="${section.anchor}">${section.line}</h${level}>`;

where section.anchor is defined as sectionObj.anchor = node.getAttribute('id'); which is unescaped. Parts of the rest of the section handling code also look suspicious, especially the function appendSectionText and how it mixes HTML and textnodes.

Details

Author Affiliation
WMF Technology Dept

Event Timeline

Bawolff created this task.Mar 16 2020, 11:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2020, 11:22 AM
Bawolff added a project: Page Content Service.Mar 16 2020, 11:22 AM
Restricted Application added a project: Product-Infrastructure-Team-Backlog-Deprecated. · View Herald TranscriptMar 16 2020, 11:22 AM
Bawolff added a comment.Mar 16 2020, 11:26 AM

p.s., there is a code comment /* DOM sink status: safe - content from parsoid output */. The reason that this is unsafe despite coming from a safe source, is the current code is taking the safe HTML, extracting parts as non-html text, and then inserting it into the document as html. As a result, html escaping is still needed.

sbassett added a project: Vuln-XSS.Mar 17 2020, 2:17 AM
dr0ptp4kt subscribed.Mar 18 2020, 3:57 PM
Reedy triaged this task as Medium priority.Mar 18 2020, 4:12 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.
dr0ptp4kt raised the priority of this task from Medium to High.Mar 18 2020, 4:32 PM
dr0ptp4kt added subscribers: LGoto, Jhernandez, JoeWalsh and 4 others.
LGoto edited projects, added Product-Infrastructure-Team-Backlog-Deprecated (Kanban); removed Product-Infrastructure-Team-Backlog-Deprecated.Mar 18 2020, 4:35 PM
dr0ptp4kt added a comment.Mar 18 2020, 5:45 PM

Just wanted to acknowledge we've seen this and it's being prioritized at High for now. @Bawolff we'll do some technical investigation but what are the exploitable environments from what you see? Browsers, WebView components, both?

Bawolff added a comment.EditedMar 18 2020, 7:24 PM

The web browser was what i was primarily think of, because its in the same domain as wikipedia, so you could use it to take over accounts (on any language since all the projects are connected) [the PoC i made above requires user interaction but you should be able to do it without user interaction beyond loading the page, as < is allowed in id attributes]. Just trick a user into viewing that link, or have your third party attack website open it in iframe/popup/etc

The web view is probably also exploitable. I'm not very familar with the apps, so im less sure what sort of risk that is. I imagine its similar to the desktop case.

JoeWalsh claimed this task.Mar 18 2020, 7:56 PM
JoeWalsh moved this task from To Do to Code Review on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
MSantos moved this task from Code Review to To Deploy on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.Mar 23 2020, 9:09 PM
Jhernandez unsubscribed.Apr 2 2020, 6:46 PM
bearND added a comment.Apr 3 2020, 7:27 PM

Gerrit patch: https://gerrit.wikimedia.org/r/c/mediawiki/services/mobileapps/+/581071

bearND closed this task as Resolved.Apr 3 2020, 7:27 PM
bearND moved this task from To Deploy to Sign off on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
sbassett subscribed.Apr 8 2020, 1:58 AM

@bearND - I assume the gerrit change set above was deployed. If you could just confirm that, I'll make this task public. Thanks.

bearND added a comment.Apr 8 2020, 3:51 AM

@sbassett Yes, this has been deployed to production.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 10 2020, 2:09 AM
Restricted Application added a subscriber: Stang. · View Herald TranscriptApr 10 2020, 2:09 AM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Apr 10 2020, 2:10 AM
Stang unsubscribed.Nov 13 2021, 8:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits