A security researcher presenting themselves as "Ϡ" has reported to security@ a reflected XSS upon archiva.wikimedia.org.
Steps to reproduce:
The payload - ;"><svg/onload=alert(document.domain)> - (and similar) appears to work under any random directory with what appears to be Jetty's default directory listing capabilities enabled. I'm wondering if that could simply be disabled?
Thanks a lot for the ping, just to understand the impact better: this is a simple XSS right?
Joseph created https://gerrit.wikimedia.org/r/656382 that should fix the problem, but we'd need a little time to test it in wmcs/cloud before applying (to avoid a manual production test on a Friday). If this is ok we'll try to fix the problem before EOD or Monday maximum, otherwise if the impact is more severe we'll try to speed up. Let me know :)
Applied the patch provided by Joseph manually on archiva, it seems to be working fine, the XSS is not doable anymore.
Thanks. I think we'd normally rate something like a reflected XSS as being a medium risk, being that it was vulnerable on a wikimedia.org domain. And then whichever team owned the system/code/whatever would assume that risk and work towards mitigation based upon our current risk management framework.
I've also reported this issue upstream as I couldn't find any recent CVEs that seemed to match this specific vulnerability.
I opened https://github.com/apache/archiva/pull/61 before chatting with @sbassett, with a very generic commit that doesn't really mention XSS etc.. (a follow up via security etc.. seemed a bit too much for this use case).
Update: as confirmed by @elukey and some upstream folks, the version of archiva we're using currently ships with a dated version of Jetty (8.1.14), which appears to be the actual source of the problem. The relevant upstream CVE for this particular Jetty issue is likely CVE-2019-10241.
Change 656448 had a related patch set uploaded (by Elukey; owner: Luca Toscano):
[operations/debs/archiva@debian] Disable directory listing in Jetty
The upstream patch https://github.com/apache/archiva/pull/61 was merged, I'll proceed then with https://gerrit.wikimedia.org/r/656448 to rebuild our own archiva version (the patch will be kept until we'll migrate to a new archiva version).
Change 656448 merged by Elukey:
[operations/debs/archiva@debian] Disable directory listing in Jetty
Mentioned in SAL (#wikimedia-operations) [2021-01-18T08:13:52Z] <elukey> clean up old archiva debs and upload 2.2.4-3 to buster-wikimedia - T272082
Change 669970 had a related patch set uploaded (by SBassett; owner: SBassett):
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame
BTW where I can find more info about WMF Archiva? Also, maybe this service deserves a dedicated Phab Tag.
Change 669970 merged by jenkins-bot:
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame
Change 672756 had a related patch set uploaded (by SBassett; owner: SBassett):
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame
Change 672756 merged by jenkins-bot:
[wikimedia/security/landing-page@master] Add surg4bij4k to security-team hall of fame