CVE-2021-41798: XSS vulnerability in Special:Search
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Zabe
	Jun 24 2021, 10:46 PM

Description

Steps to reproduce

Create some article Test.
Set MediaWiki:June to <img src=x onerror=alert(1)> (the month of the article creations needs to be choosen here).
Go to Special:Search and search for Test, so that the newly created article shows up.
Enjoy your alert box.

This is possible, because the date value is not being escaped.

$date = $this->specialPage->getLanguage()->userTimeAndDate(
	$result->getTimestamp(),
	$this->specialPage->getUser()
);

Details

Author Affiliation: Wikimedia Communities

Subject	Repo	Branch	Lines +/-
SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta	mediawiki/core	master	+5 -3
SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta	mediawiki/core	REL1_37	+5 -3
SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta	mediawiki/core	REL1_36	+7 -4
SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta	mediawiki/core	REL1_35	+6 -3
SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta	mediawiki/core	REL1_31	+7 -3

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T266419 Composer 2.0 updates and support
Resolved		Reedy	T266421 Rebuild mediawiki-vendor on composer 2.0
Resolved		Reedy	T275824 Bump wikimedia/composer-merge-plugin in vendor
Resolved		tstarling	T248908 composer-merge-plugin support for composer 2.0
			Restricted Task
Resolved		Jdforrester-WMF	T279857 Re-build CI containers with Composer 2.x
Resolved		Jdforrester-WMF	T281294 Drop CI for REL1_31 branch once it's EOL
Resolved		Aklapper	T230582 Archive Oracle Database project
Resolved		Aklapper	T230583 Archive MSSQL project
Resolved		Reedy	T279858 Formally EOL REL1_31
Resolved		Reedy	T285404 Release MediaWiki 1.31.16/1.35.4/1.36.2
Resolved		Reedy	T285405 Tracking bug for MediaWiki 1.31.16/1.35.4/1.36.2
Resolved	Security	Zabe	T285515 CVE-2021-41798: XSS vulnerability in Special:Search

Event Timeline

Zabe created this task.Jun 24 2021, 10:46 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2021, 10:46 PM

proposed patch

0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch1 KBDownload

Restricted Application added a project: Discovery-Search. · View Herald TranscriptJun 24 2021, 10:48 PM

Zabe updated the task description. (Show Details)Jun 25 2021, 11:43 AM

Gehel added subscribers: MPhamWMF, CBogen.Jun 28 2021, 3:38 PM

Gehel added subscribers: TJones, dcausse, EBernhardson.

MPhamWMF moved this task from needs triage to Current work on the Discovery-Search board.Jun 28 2021, 3:40 PM

MPhamWMF edited projects, added Discovery-Search (Current work); removed Discovery-Search.

Tagging @EBernhardson / Discovery-Search for a quick opinion on this security patch. We'd like to deploy this security patch to production but wanted to confirm with someone on the Search Team that the patch seemed sane and there weren't any obvious double-escaping issues or potential issues with hook reuse. Thanks.

In T285515#7181412, @sbassett wrote:

Tagging @EBernhardson / Discovery-Search for a quick opinion on this security patch. We'd like to deploy this security patch to production but wanted to confirm with someone on the Search Team that the patch seemed sane and there weren't any obvious double-escaping issues or potential issues with hook reuse. Thanks.

+1, Changes looks appropriate to me. It doesn't look like this should result in any double escaping in core code.The hook is documented as having the passed date already HTML encoded, so at least in theory that should be expected by consumers and not double encoded there.

@EBernhardson - thanks!

deployed security patch to wmf.11 and wmf.12 -> https://sal.toolforge.org/log/UMnBWXoB8Fs0LHO5Q8wn and https://sal.toolforge.org/log/o8nHWXoB8Fs0LHO5vNDC

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 29 2021, 10:01 PM

sbassett added a parent task: T285405: Tracking bug for MediaWiki 1.31.16/1.35.4/1.36.2.Jun 29 2021, 10:09 PM

MPhamWMF moved this task from Incoming to Needs Reporting on the Discovery-Search (Current work) board.Jul 12 2021, 3:33 PM

Gehel closed this task as Resolved.Jul 26 2021, 12:20 PM

Reedy renamed this task from XSS vulnerability in Special:Search to CVE-2021-PENDING: XSS vulnerability in Special:Search.Sep 29 2021, 4:06 PM

Reedy renamed this task from CVE-2021-PENDING: XSS vulnerability in Special:Search to CVE-2021-41798: XSS vulnerability in Special:Search.Sep 29 2021, 8:44 PM

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/342282 moved some stuff around, thus the patch above is not going to cleanly apply to REL1_31. So here is the patch for REL1_31.

0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget-REL1_31.patch1 KBDownload

The original patch applied fine with a git am -3 :)

In T285515#7389821, @Reedy wrote:

The original patch applied fine with a git am -3 :)

I should have tried that. Forget my comment then :)

Reedy added a subscriber: gerritbot.Sep 30 2021, 2:39 PM

Change 725055 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_31] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725055

gerritbot added a project: Patch-For-Review.Sep 30 2021, 5:49 PM

Change 725055 merged by jenkins-bot:

[mediawiki/core@REL1_31] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725055

Change 725061 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_35] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725061

Change 725061 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725061

Change 725066 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_36] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725066

Change 725071 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_37] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725071

Change 725074 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@master] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725074

Change 725066 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725066

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 30 2021, 6:24 PM

Reedy changed the edit policy from "Custom Policy" to "All Users".

Change 725071 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725071

Change 725074 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Pass escaped HTML to FullSearchResultWidget::buildMeta

https://gerrit.wikimedia.org/r/725074

ReleaseTaggerBot added projects: MW-1.35-notes, MW-1.37-notes, MW-1.36-notes, MW-1.31-release-notes, MW-1.38-notes (1.38.0-wmf.3; 2021-10-05).Oct 1 2021, 5:21 PM

Zabe mentioned this in T292795: XSS vulnerability in Special:CheckUserLog (CVE-2021-46150).Oct 7 2021, 9:37 PM

Zabe removed a project: Patch-For-Review.Jan 15 2022, 2:50 PM

Zabe removed a project: User-Zabe.Apr 13 2022, 12:48 AM

	F34662028: 0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget-REL1_31.patch
	Sep 29 2021, 10:19 PM

	F34526984: 0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch
	Jun 25 2021, 9:07 AM

	F34526316: 0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch
	Jun 24 2021, 10:48 PM

CVE-2021-41798: XSS vulnerability in Special:SearchClosed, ResolvedPublicSecurityActions