Page MenuHomePhabricator

CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist)
Closed, ResolvedPublicSecurity

Description

On ChangesList special pages like Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped.

Steps to reproduce:

  1. Edit one of the rcfilters-filter-*-label messages (e.g. edit MediaWiki:Rcfilters-filter-humans-label) and add a simple XSS string like <img src=x onerror=alert(document.domain)>
  2. Visit Special:RecentChanges and see the JavaScript executed (depending on which label you chose in step 1, you may need to select that filter in the interface or URL param first)

This happens because the label is being added by JS using append in this case, when the message itself is unescaped plain text. This appears to have been the case since https://phabricator.wikimedia.org/rMWd0339e8741fb0a8361aed563b92f3fd36fdb3f7b where the label was previously always wrapped in mw.html.escape but afterwards was output raw if there isn't a wrapping label message.

It's relatively low risk given it's admin-only, but filing as a private issue similar to T256171, T255918, and T278014.

Event Timeline

Proposed patch:

From 60be0e4cdf37fce9a83d9df0bd1497107bc5f940 Mon Sep 17 00:00:00 2001
From: grunny <mwgrunny@gmail.com>
Date: Sun, 21 Mar 2021 14:35:58 +1000
Subject: [PATCH] Escape rcfilters-filter-* messages on ChangesList pages

The rcfilters-filter-*-label messages are output as raw HTML on
ChangesList pages like RecentChanges and Watchlist. If there is
a wrapping label message, the label is properly escaped, but
when there is not, it is appended as raw HTML. This escapes the
label at output by switching to .text().

Change-Id: I7106aedced51343439fc54d5bb91620d8a0362f9
---
 resources/src/mediawiki.rcfilters/ui/TagItemWidget.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js b/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
index 5d45d18..ba7b920 100644
--- a/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
+++ b/resources/src/mediawiki.rcfilters/ui/TagItemWidget.js
@@ -94,7 +94,7 @@ TagItemWidget.prototype.updateUiBasedOnState = function () {
 		).contents() );
 	} else {
 		this.setLabel(
-			$( '<bdi>' ).append(
+			$( '<bdi>' ).text(
 				this.itemModel.getLabel()
 			)
 		);
-- 
2.7.4

Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.

sbassett added a project: SecTeam-Processed.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Incoming to In Progress on the Security-Team board.

Change 674085 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@master] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674085

Change 674085 merged by jenkins-bot:
[mediawiki/core@master] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674085

Change 674108 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@REL1_35] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674108

Change 674108 merged by jenkins-bot:
[mediawiki/core@REL1_35] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674108

Change 674110 had a related patch set uploaded (by Reedy; owner: Grunny):
[mediawiki/core@REL1_31] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674110

Change 674110 merged by jenkins-bot:
[mediawiki/core@REL1_31] Escape rcfilters-filter-* messages on ChangesList pages

https://gerrit.wikimedia.org/r/674110

Reedy renamed this task from Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) to CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).Tue, Apr 6, 7:13 PM