Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047)
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Urbanecm_WMF
	Aug 17 2021, 2:38 PM

Description

Steps to reproduce

On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add <script>alert('XSS');</script> somewhere to the message
Login with an account that's on the mentors list.
Go to Special:MentorDashboard
Alert gets displayed

The same also applies for growthexperiments-mentor-dashboard-mentee-overview-intro and growthexperiments-mentor-dashboard-resources-intro messages.

Fix

MenteeOverview::getBody() should not use Html::rawElement, or should use ->escaped() for the message. Similar fix should be applied for other messages mentioned above.

Notes

This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.

Details

Author Affiliation: WMF Product

	Subject	Repo	Branch	Lines +/-
	SECURITY: Fix XSS vulnerabilities in mentor dashboard	mediawiki/extensions/GrowthExperiments	master	+1 -1

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T266419 Composer 2.0 updates and support
Resolved		Reedy	T266421 Rebuild mediawiki-vendor on composer 2.0
Resolved		Reedy	T275824 Bump wikimedia/composer-merge-plugin in vendor
Resolved		tstarling	T248908 composer-merge-plugin support for composer 2.0
			Restricted Task
Resolved		Jdforrester-WMF	T279857 Re-build CI containers with Composer 2.x
Resolved		Jdforrester-WMF	T281294 Drop CI for REL1_31 branch once it's EOL
Resolved		Aklapper	T230582 Archive Oracle Database project
Resolved		Aklapper	T230583 Archive MSSQL project
Resolved		Reedy	T279858 Formally EOL REL1_31
Resolved		Reedy	T285404 Release MediaWiki 1.31.16/1.35.4/1.36.2
Resolved		Mstyles	T285414 Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2)
Resolved	Security	kostajh	T289067 Audit GrowthExperiments for XSS vulnerabilities
Resolved	Security	Urbanecm_WMF	T289063 Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047)

Event Timeline

Urbanecm_WMF created this task.Aug 17 2021, 2:38 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2021, 2:38 PM

Urbanecm_WMF triaged this task as High priority.Aug 17 2021, 2:39 PM

Urbanecm_WMF added projects: GrowthExperiments-MentorDashboard, Growth-Team (Sprint 0 (Growth Team)).

Urbanecm_WMF added a project: Vuln-XSS.

Urbanecm_WMF mentioned this in T289064: Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048).Aug 17 2021, 2:41 PM

Urbanecm_WMF mentioned this in T289067: Audit GrowthExperiments for XSS vulnerabilities.Aug 17 2021, 2:53 PM

Urbanecm_WMF added a parent task: T289067: Audit GrowthExperiments for XSS vulnerabilities.Aug 17 2021, 2:55 PM

Urbanecm_WMF added subscribers: kostajh, • mewoph, Tgr.Aug 17 2021, 3:00 PM

T289063.patch1 KBDownload

Here is a patch that should fix this issue.

Urbanecm_WMF renamed this task from Mentor dashboard mentee overview: Permanent XSS exploitable by wiki admins to Mentor dashboard: Permanent XSS exploitable by wiki admins.Aug 17 2021, 4:50 PM

Urbanecm_WMF updated the task description. (Show Details)

Altered the patch to fix more occurances of the same vulnerability in the mentor dashboard:

T289063.patch2 KBDownload

CR +2

23:44 <urbanecm> !log Deploy security patch for T289063
23:44 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Deployed to production (both branches) as-of the following version:

T289063.patch2 KBDownload

Thanks Tgr!

Urbanecm_WMF claimed this task.Aug 17 2021, 9:47 PM

Urbanecm_WMF added a project: User-Urbanecm_WMF (Engineering).

@sbassett Can you do the final honors (backports) please (after the audit mentioned in parent task is finished)? Thanks!

(moving to watching as this should stay open until merged publicly)

Urbanecm_WMF added a subscriber: Etonkovidova.Aug 18 2021, 4:03 PM

sbassett mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Aug 18 2021, 8:02 PM

@Urbanecm_WMF - Ok, thanks. Tracked at T276237 and T285414. I'll likely push the relevant backports through gerrit today or tomorrow since we're patched in prod and I doubt anyone really uses this extension outside of WMF.

sbassett added a project: user-sbassett.Aug 18 2021, 8:56 PM

sbassett moved this task from Backlog to Waiting on the user-sbassett board.

Even if they do, interface editor right is needed to exploit the vulnerabilities, and outside Wikimedia wikis that's usually limited to very trusted groups.

In T289063#7293371, @Tgr wrote:

Even if they do, interface editor right is needed to exploit the vulnerabilities, and outside Wikimedia wikis that's usually limited to very trusted groups.

That's not true -- sysop is enough (this needs editinterface, not the all-powerful editsitejs). I'd agree that non-WMF wikis probably trust their sysops much more than we do though.

Interface editor is technically weaker than sysop. I'd expect it to be rare for non-Wikimedia wikis to separate the two, though.

I believe there's also still a small risk of a nefarious message making it through via translatewiki.net, though there is still a partially-automated review process for this in gerrit.

Urbanecm_WMF removed a parent task: T289067: Audit GrowthExperiments for XSS vulnerabilities.Aug 20 2021, 11:10 PM

Urbanecm_WMF added a parent task: T289067: Audit GrowthExperiments for XSS vulnerabilities.Aug 20 2021, 11:20 PM

Urbanecm_WMF renamed this task from Mentor dashboard: Permanent XSS exploitable by wiki admins to Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part).Aug 21 2021, 7:25 PM

Urbanecm_WMF moved this task from Backlog to My Part Done on the User-Urbanecm_WMF (Engineering) board.Aug 21 2021, 11:02 PM

sbassett added a project: SecTeam-Processed.Aug 23 2021, 8:50 PM

sbassett moved this task from Incoming to Watching on the Security-Team board.

We're patched in prod.

Urbanecm_WMF changed Author Affiliation from N/A to WMF Product.Aug 24 2021, 8:25 PM

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 9 2021, 6:50 PM

Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Change 720088 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerabilities in mentor dashboard

https://gerrit.wikimedia.org/r/720088

Change 720088 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerabilities in mentor dashboard

https://gerrit.wikimedia.org/r/720088

Merged to master, code in currently supported releases does not include mentor dashboard.

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.23; 2021-09-13).Sep 9 2021, 8:00 PM

sbassett added a parent task: T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Sep 10 2021, 3:06 AM

Mstyles renamed this task from Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) to Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047).Oct 7 2021, 8:34 PM

	F34598455: T289063.patch
	Aug 17 2021, 4:53 PM

	F34598374: T289063.patch
	Aug 17 2021, 3:12 PM

Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047)Closed, ResolvedPublicSecurityActions