Page MenuHomePhabricator

RandomGameUnit: Stored XSS (CVE-2020-27957)
Closed, ResolvedPublicSecurity

Description

Prerequisites: social tools setup (MW 1.34 with SocialProfile, and for this particular bug, also need PictureGame, PollNY, QuizGame and RandomGameUnit)

  1. Create a game (for example, a picture game via Special:PictureGameHome; but the bug also happens with PollNY polls and QuizGame quizzes since RandomGameUnit fails to properly escape titles/options for all three types of games)
  2. Have its title contain something like <script>alert('XSS')</script>
  3. Save the game to ensure that it's created (obviously!)
  4. When using RandomGameUnit, whether directly via adding the parser tag to a wiki page or as a more "fixed" part of the UI (e.g. in the Nimbus skin), note how the malicious code gets executed despite that it damn well shouldn't

This is somewhat of a continuation of the fixes done in fde2cd7a5e9b675e6c78003f47e21bd8634271f9 for PictureGame's own creation/editing form.

Event Timeline


Proposed and tested patch which adds relevant, missing htmlspecialchars() calls to all three callback functions to ensure that whatever is stored in the DB is properly sanitized before being sent back.

ashley added a subscriber: Legoktm.

A slightly modified patch, with input from @Legoktm, was submitted and merged as 69bcc1ae9f8246f59b626d72348e11bd2ddb2231, which fixes this issue.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 26 2020, 4:31 AM
Legoktm changed the edit policy from "Custom Policy" to "All Users".

Change 636484 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/RandomGameUnit@REL1_35] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636484

Change 636488 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/RandomGameUnit@REL1_34] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636488

Change 636489 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/RandomGameUnit@REL1_31] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636489

sbassett renamed this task from RandomGameUnit: Stored XSS to RandomGameUnit: Stored XSS (CVE-2020-27957).Oct 28 2020, 7:35 PM

Change 636489 merged by jenkins-bot:
[mediawiki/extensions/RandomGameUnit@REL1_31] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636489

Change 636488 merged by Umherirrender:
[mediawiki/extensions/RandomGameUnit@REL1_34] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636488

Change 636484 merged by Umherirrender:
[mediawiki/extensions/RandomGameUnit@REL1_35] [SECURITY] Run stored, user-generated input from DB through htmlspecialchars() to avoid stored XSS originating from PictureGame/PollNY/QuizGame data

https://gerrit.wikimedia.org/r/636484