Page MenuHomePhabricator

Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part)
Closed, ResolvedPublicSecurity

Description

Steps to reproduce
  1. On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
  2. Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback and add <script>alert('XSS');</script> somewhere to the message
  3. Login with an account that's on the mentors list.
  4. Go to Special:MentorDashboard
  5. Alert gets displayed

The same also applies for growthexperiments-mentor-dashboard-mentee-overview-intro and growthexperiments-mentor-dashboard-resources-intro messages.

Fix

MenteeOverview::getBody() should not use Html::rawElement, or should use ->escaped() for the message. Similar fix should be applied for other messages mentioned above.

Notes

This feature is not served outside of testwiki, but since it allows unauthorized users to run arbitrary JS on a production wikis, this should go through the normal security patch procedure.

Event Timeline

Urbanecm_WMF added a project: Patch-For-Review.

Here is a patch that should fix this issue.

Urbanecm_WMF renamed this task from Mentor dashboard mentee overview: Permanent XSS exploitable by wiki admins to Mentor dashboard: Permanent XSS exploitable by wiki admins.Aug 17 2021, 4:50 PM
Urbanecm_WMF updated the task description. (Show Details)

Altered the patch to fix more occurances of the same vulnerability in the mentor dashboard:

23:44 <urbanecm> !log Deploy security patch for T289063
23:44 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Deployed to production (both branches) as-of the following version:

Thanks Tgr!

@sbassett Can you do the final honors (backports) please (after the audit mentioned in parent task is finished)? Thanks!

(moving to watching as this should stay open until merged publicly)

@Urbanecm_WMF - Ok, thanks. Tracked at T276237 and T285414. I'll likely push the relevant backports through gerrit today or tomorrow since we're patched in prod and I doubt anyone really uses this extension outside of WMF.

Even if they do, interface editor right is needed to exploit the vulnerabilities, and outside Wikimedia wikis that's usually limited to very trusted groups.

Even if they do, interface editor right is needed to exploit the vulnerabilities, and outside Wikimedia wikis that's usually limited to very trusted groups.

That's not true -- sysop is enough (this needs editinterface, not the all-powerful editsitejs). I'd agree that non-WMF wikis probably trust their sysops much more than we do though.

Interface editor is technically weaker than sysop. I'd expect it to be rare for non-Wikimedia wikis to separate the two, though.

I believe there's also still a small risk of a nefarious message making it through via translatewiki.net, though there is still a partially-automated review process for this in gerrit.

Urbanecm_WMF renamed this task from Mentor dashboard: Permanent XSS exploitable by wiki admins to Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part).Aug 21 2021, 7:25 PM
Urbanecm_WMF lowered the priority of this task from High to Low.Aug 24 2021, 8:25 PM

We're patched in prod.

Urbanecm_WMF changed Author Affiliation from N/A to WMF Product.Aug 24 2021, 8:25 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Thu, Sep 9, 6:50 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Change 720088 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerabilities in mentor dashboard

https://gerrit.wikimedia.org/r/720088

Change 720088 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerabilities in mentor dashboard

https://gerrit.wikimedia.org/r/720088

Merged to master, code in currently supported releases does not include mentor dashboard.

sbassett added a parent task: Restricted Task.Fri, Sep 10, 3:06 AM