Page MenuHomePhabricator

Reflected XSS on archiva.wikimedia.org (due to Jetty, likely CVE-2019-10241)
Closed, ResolvedPublicSecurity

Description

A security researcher presenting themselves as "Ϡ" has reported to security@ a reflected XSS upon archiva.wikimedia.org.

Steps to reproduce:

  1. Navigate to https://archiva.wikimedia.org/css/;%22%3E%3Csvg/onload=alert(document.domain)%3E

The payload - ;"><svg/onload=alert(document.domain)> - (and similar) appears to work under any random directory with what appears to be Jetty's default directory listing capabilities enabled. I'm wondering if that could simply be disabled?

cc: @Ottomata @elukey

Event Timeline

sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett added a project: Vuln-XSS.

Thanks a lot for the ping, just to understand the impact better: this is a simple XSS right?

Joseph created https://gerrit.wikimedia.org/r/656382 that should fix the problem, but we'd need a little time to test it in wmcs/cloud before applying (to avoid a manual production test on a Friday). If this is ok we'll try to fix the problem before EOD or Monday maximum, otherwise if the impact is more severe we'll try to speed up. Let me know :)

Applied the patch provided by Joseph manually on archiva, it seems to be working fine, the XSS is not doable anymore.

sbassett assigned this task to elukey.
sbassett lowered the priority of this task from High to Low.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.

Applied the patch provided by Joseph manually on archiva, it seems to be working fine, the XSS is not doable anymore.

Thanks. I think we'd normally rate something like a reflected XSS as being a medium risk, being that it was vulnerable on a wikimedia.org domain. And then whichever team owned the system/code/whatever would assume that risk and work towards mitigation based upon our current risk management framework.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 15 2021, 4:01 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".

I've also reported this issue upstream as I couldn't find any recent CVEs that seemed to match this specific vulnerability.

I opened https://github.com/apache/archiva/pull/61 before chatting with @sbassett, with a very generic commit that doesn't really mention XSS etc.. (a follow up via security etc.. seemed a bit too much for this use case).

Update: as confirmed by @elukey and some upstream folks, the version of archiva we're using currently ships with a dated version of Jetty (8.1.14), which appears to be the actual source of the problem. The relevant upstream CVE for this particular Jetty issue is likely CVE-2019-10241.

Change 656448 had a related patch set uploaded (by Elukey; owner: Luca Toscano):
[operations/debs/archiva@debian] Disable directory listing in Jetty

https://gerrit.wikimedia.org/r/656448

The upstream patch https://github.com/apache/archiva/pull/61 was merged, I'll proceed then with https://gerrit.wikimedia.org/r/656448 to rebuild our own archiva version (the patch will be kept until we'll migrate to a new archiva version).

Change 656448 merged by Elukey:
[operations/debs/archiva@debian] Disable directory listing in Jetty

https://gerrit.wikimedia.org/r/656448

Mentioned in SAL (#wikimedia-operations) [2021-01-18T08:13:52Z] <elukey> clean up old archiva debs and upload 2.2.4-3 to buster-wikimedia - T272082

Aklapper renamed this task from Reflected XSS on archiva.wikimedia.org to Reflected XSS on archiva.wikimedia.org (due to Jetty, likely CVE-2019-10241).Jan 18 2021, 5:38 PM

Change 669970 had a related patch set uploaded (by SBassett; owner: SBassett):
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame

https://gerrit.wikimedia.org/r/669970

BTW where I can find more info about WMF Archiva? Also, maybe this service deserves a dedicated Phab Tag.

Change 669970 merged by jenkins-bot:
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame

https://gerrit.wikimedia.org/r/669970

Change 672756 had a related patch set uploaded (by SBassett; owner: SBassett):
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame

https://gerrit.wikimedia.org/r/672756

Change 672756 merged by jenkins-bot:
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame

https://gerrit.wikimedia.org/r/672756