Page MenuHomePhabricator

Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts
Closed, ResolvedPublicSecurity

Description

After noticing T289063, I looked into Impact's module code, and noticed another XSS can be exploited there. Unlike the linked task, it can be only exploited for accounts with zero edits, making it less impactful, but it needs to be addressed regardless.

Any admin can add arbitrary JavaScript code to MediaWIki:growthexperiments-homepage-impact-unactivated-suggested-edits-footer, which will be executed by homepage viewers with zero edits.

Event Timeline

Patch addressing this issue:

Patch addressing this issue:

Looks good, that should fix it. Just a nitpick: The commit message should be prefixed with SECURITY: to let the deployers easily identify security patches that are on the production cluster.

17:55 <urbanecm> !log Deploy a security patch for T289064
17:55 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Patch deployed to prod. Tested only locally, as testing in prod would require an edit and advertise the vuln.

For the archives, this is the deployed version -- same as @mewoph's original patch, but with edited commit message to align with the guidelines.

(moving to Watching as this should stay private&opened until merged publicly)

@sbassett Can you do the final honors (backports) please (after the audit mentioned in parent task is finished)? Thanks!

@Urbanecm_WMF - Ok, thanks. Tracked at T276237 and T285414. I'll likely push the relevant backports through gerrit today or tomorrow since we're patched in prod and I doubt anyone really uses this extension outside of WMF.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Thu, Sep 9, 6:50 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Change 720087 had a related patch set uploaded (by Urbanecm; author: MewOphaswongse):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/720087

Change 720087 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/720087

Change 719700 had a related patch set uploaded (by Urbanecm; author: MewOphaswongse):

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/719700

Merged to master, backported to 1.36, code was not vulnerable in older releases.

Change 719700 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Fix XSS vulnerability in Impact module

https://gerrit.wikimedia.org/r/719700

sbassett added a parent task: Restricted Task.Fri, Sep 10, 3:06 AM