Page MenuHomePhabricator
Create Task
Maniphest T278058

CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist)
Closed, ResolvedPublicSecurity
Actions

Description

On ChangesList special pages like Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped.

Steps to reproduce:

  1. Edit one of the rcfilters-filter-*-label messages (e.g. edit MediaWiki:Rcfilters-filter-humans-label) and add a simple XSS string like <img src=x onerror=alert(document.domain)>
  2. Visit Special:RecentChanges and see the JavaScript executed (depending on which label you chose in step 1, you may need to select that filter in the interface or URL param first)

RecentChangesXSS.png (391×929 px, 75 KB)

This happens because the label is being added by JS using append in this case, when the message itself is unescaped plain text. This appears to have been the case since https://phabricator.wikimedia.org/rMWd0339e8741fb0a8361aed563b92f3fd36fdb3f7b where the label was previously always wrapped in mw.html.escape but afterwards was output raw if there isn't a wrapping label message.

It's relatively low risk given it's admin-only, but filing as a private issue similar to T256171, T255918, and T278014.

Details

SubjectRepoBranchLines +/-
Escape rcfilters-filter-* messages on ChangesList pagesmediawiki/coreREL1_31+1 -1
Escape rcfilters-filter-* messages on ChangesList pagesmediawiki/coreREL1_35+1 -1
Escape rcfilters-filter-* messages on ChangesList pagesmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Grunny created this task.Mar 21 2021, 6:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2021, 6:00 PM
Grunny added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).Mar 21 2021, 6:01 PM
Grunny added projects: Vuln-XSS, MediaWiki-Special-pages.
Grunny added a comment.Mar 21 2021, 6:06 PM

Proposed patch:

T278058.patch1 KBDownload

From 60be0e4cdf37fce9a83d9df0bd1497107bc5f940 Mon Sep 17 00:00:00 2001
From: grunny <mwgrunny@gmail.com>
Date: Sun, 21 Mar 2021 14:35:58 +1000
Subject: [PATCH] Escape rcfilters-filter-* messages on ChangesList pages

The rcfilters-filter-*-label messages are output as raw HTML on
ChangesList pages like RecentChanges and Watchlist. If there is
a wrapping label message, the label is properly escaped, but
when there is not, it is appended as raw HTML. This escapes the
label at output by switching to .text().

Change-Id: I7106aedced51343439fc54d5bb91620d8a0362f9
---
 resources/src/mediawiki.rcfilters/ui/TagItemWidget.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js b/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
index 5d45d18..ba7b920 100644
--- a/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
+++ b/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
@@ -94,7 +94,7 @@ TagItemWidget.prototype.updateUiBasedOnState = function () {
 		).contents() );
 	} else {
 		this.setLabel(
-			$( '<bdi>' ).append(
+			$( '<bdi>' ).text(
 				this.itemModel.getLabel()
 			)
 		);
-- 
2.7.4
Legoktm added a subscriber: Catrope.Mar 22 2021, 6:31 AM
Reedy added projects: MW-1.31-release, MW-1.35-release.Mar 22 2021, 3:14 PM
sbassett subscribed.Mar 22 2021, 3:36 PM

Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.

sbassett triaged this task as Low priority.Mar 22 2021, 3:36 PM
sbassett added a project: SecTeam-Processed.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Incoming to In Progress on the Security-Team board.
RhinosF1 subscribed.Mar 22 2021, 3:37 PM
gerritbot added a comment.Mar 22 2021, 3:39 PM

Change 674085 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@master] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674085

gerritbot added a project: Patch-For-Review.Mar 22 2021, 3:39 PM
gerritbot added a comment.Mar 22 2021, 7:18 PM

Change 674085 merged by jenkins-bot:
[mediawiki/core@master] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674085

gerritbot added a comment.Mar 22 2021, 7:49 PM

Change 674108 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@REL1_35] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674108

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.36; 2021-03-23).Mar 22 2021, 8:00 PM
gerritbot added a comment.Mar 22 2021, 8:12 PM

Change 674108 merged by jenkins-bot:
[mediawiki/core@REL1_35] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674108

gerritbot added a comment.Mar 22 2021, 8:21 PM

Change 674110 had a related patch set uploaded (by Reedy; owner: Grunny):
[mediawiki/core@REL1_31] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674110

ReleaseTaggerBot added a project: MW-1.35-notes.Mar 22 2021, 9:00 PM
gerritbot added a comment.Mar 23 2021, 6:38 PM

Change 674110 merged by jenkins-bot:
[mediawiki/core@REL1_31] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674110

ReleaseTaggerBot added a project: MW-1.31-release-notes.Mar 23 2021, 7:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 23 2021, 7:11 PM
Reedy closed this task as Resolved.Mar 30 2021, 12:44 AM
Reedy assigned this task to Grunny.
Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.
Reedy mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.
Reedy renamed this task from Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) to CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).Apr 6 2021, 7:13 PM
Reedy added a subscriber: gerritbot.Apr 8 2021, 7:11 PM
matmarex mentioned this in T281595: XSSs from not escaping i18n messages in recent core patch.Apr 30 2021, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL