Page MenuHomePhabricator
Create Task
Maniphest T289064

Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048)
Closed, ResolvedPublicSecurity
Actions

Description

After noticing T289063, I looked into Impact's module code, and noticed another XSS can be exploited there. Unlike the linked task, it can be only exploited for accounts with zero edits, making it less impactful, but it needs to be addressed regardless.

Any admin can add arbitrary JavaScript code to MediaWIki:growthexperiments-homepage-impact-unactivated-suggested-edits-footer, which will be executed by homepage viewers with zero edits.

Details

SubjectRepoBranchLines +/-
SECURITY: Fix XSS vulnerability in Impact modulemediawiki/extensions/GrowthExperimentsREL1_36+1 -1
SECURITY: Fix XSS vulnerability in Impact modulemediawiki/extensions/GrowthExperimentsmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Urbanecm_WMF created this task.Aug 17 2021, 2:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2021, 2:41 PM
Urbanecm_WMF added projects: Vuln-XSS, GrowthExperiments-ImpactModule.Aug 17 2021, 2:42 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptAug 17 2021, 2:42 PM
Urbanecm_WMF added a parent task: T289067: Audit GrowthExperiments for XSS vulnerabilities.Aug 17 2021, 2:55 PM
Urbanecm_WMF triaged this task as High priority.Aug 17 2021, 2:57 PM
Urbanecm_WMF added subscribers: kostajh, mewoph, Tgr.Aug 17 2021, 3:00 PM
mewoph edited projects, added Growth-Team (Sprint 0 (Growth Team)); removed Growth-Team.Aug 17 2021, 3:29 PM

Patch addressing this issue:

T289064.patch940 BDownload

mewoph moved this task from Incoming to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.Aug 17 2021, 3:29 PM
Urbanecm_WMF added a comment.Aug 17 2021, 3:37 PM
In T289064#7288766, @mewoph wrote:

Patch addressing this issue:

T289064.patch940 BDownload

Looks good, that should fix it. Just a nitpick: The commit message should be prefixed with SECURITY: to let the deployers easily identify security patches that are on the production cluster.

Urbanecm_WMF added a comment.EditedAug 17 2021, 3:56 PM
17:55 <urbanecm> !log Deploy a security patch for T289064
17:55 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Patch deployed to prod. Tested only locally, as testing in prod would require an edit and advertise the vuln.

For the archives, this is the deployed version -- same as @mewoph's original patch, but with edited commit message to align with the guidelines.

T289064.patch1016 BDownload

Urbanecm_WMF assigned this task to mewoph.EditedAug 17 2021, 9:51 PM
Urbanecm_WMF moved this task from Code Review to Test in Production | Watching on the Growth-Team (Sprint 0 (Growth Team)) board.

(moving to Watching as this should stay private&opened until merged publicly)

Urbanecm_WMF added a subscriber: sbassett.EditedAug 17 2021, 9:51 PM

@sbassett Can you do the final honors (backports) please (after the audit mentioned in parent task is finished)? Thanks!

Urbanecm_WMF added a subscriber: Etonkovidova.Aug 18 2021, 4:03 PM
sbassett mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Aug 18 2021, 8:02 PM
sbassett added a comment.Aug 18 2021, 8:08 PM

@Urbanecm_WMF - Ok, thanks. Tracked at T276237 and T285414. I'll likely push the relevant backports through gerrit today or tomorrow since we're patched in prod and I doubt anyone really uses this extension outside of WMF.

sbassett added a project: user-sbassett.Aug 18 2021, 8:56 PM
sbassett moved this task from Backlog to Waiting on the user-sbassett board.
Urbanecm_WMF mentioned this in T289387: Newcomer homepage somehow outputs unescaped user-agent.Aug 20 2021, 11:10 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Aug 23 2021, 8:50 PM
sbassett added a project: SecTeam-Processed.
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 9 2021, 6:50 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Sep 9 2021, 6:51 PM

Change 720087 had a related patch set uploaded (by Urbanecm; author: MewOphaswongse):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/720087

gerritbot added a project: Patch-For-Review.Sep 9 2021, 6:51 PM
gerritbot added a comment.Sep 9 2021, 7:10 PM

Change 720087 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/720087

Maintenance_bot removed a project: Patch-For-Review.Sep 9 2021, 7:11 PM
gerritbot added a comment.Sep 9 2021, 7:26 PM

Change 719700 had a related patch set uploaded (by Urbanecm; author: MewOphaswongse):

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/719700

gerritbot added a project: Patch-For-Review.Sep 9 2021, 7:26 PM
Urbanecm_WMF closed this task as Resolved.Sep 9 2021, 7:29 PM

Merged to master, backported to 1.36, code was not vulnerable in older releases.

gerritbot added a comment.Sep 9 2021, 7:42 PM

Change 719700 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/719700

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.23; 2021-09-13).Sep 9 2021, 8:00 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 9 2021, 8:10 PM
sbassett added a parent task: T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Sep 10 2021, 3:06 AM
Mstyles renamed this task from Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts to Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048).Oct 7 2021, 8:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL