Page MenuHomePhabricator

mobile-apps XSS when using api/rest_v1/page/mobile-html on zh wiki, with id attribute in header
Closed, ResolvedPublicSecurity


The mobile-html api endpoint does not properly escape the id attribute of heading when used on zh language projects (zh uses a different code path than other languages)

As an example, see look at the id attribute on the <h2> on [I made this look non-suspicious since its public].

PoC code


Issue is createHeadingHTML (in mobileapps/lib/mobile/MobileViewHTML.js) has code like:

return `<h${level} id="${section.anchor}">${section.line}</h${level}>`;

where section.anchor is defined as sectionObj.anchor = node.getAttribute('id'); which is unescaped. Parts of the rest of the section handling code also look suspicious, especially the function appendSectionText and how it mixes HTML and textnodes.


Author Affiliation
WMF Technology Dept

Event Timeline

p.s., there is a code comment /* DOM sink status: safe - content from parsoid output */. The reason that this is unsafe despite coming from a safe source, is the current code is taking the safe HTML, extracting parts as non-html text, and then inserting it into the document as html. As a result, html escaping is still needed.

Reedy triaged this task as Medium priority.Mar 18 2020, 4:12 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.
dr0ptp4kt raised the priority of this task from Medium to High.Mar 18 2020, 4:32 PM
dr0ptp4kt added subscribers: LGoto, Jhernandez, JoeWalsh and 4 others.

Just wanted to acknowledge we've seen this and it's being prioritized at High for now. @Bawolff we'll do some technical investigation but what are the exploitable environments from what you see? Browsers, WebView components, both?

The web browser was what i was primarily think of, because its in the same domain as wikipedia, so you could use it to take over accounts (on any language since all the projects are connected) [the PoC i made above requires user interaction but you should be able to do it without user interaction beyond loading the page, as < is allowed in id attributes]. Just trick a user into viewing that link, or have your third party attack website open it in iframe/popup/etc

The web view is probably also exploitable. I'm not very familar with the apps, so im less sure what sort of risk that is. I imagine its similar to the desktop case.

@bearND - I assume the gerrit change set above was deployed. If you could just confirm that, I'll make this task public. Thanks.

@sbassett Yes, this has been deployed to production.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 10 2020, 2:09 AM