Page MenuHomePhabricator
Create Task
Maniphest T289408

Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044)
Closed, ResolvedPublicSecurity
Actions

Assigned To
Urbanecm_WMF
Authored By
Urbanecm_WMF
Aug 21 2021, 8:01 PM
Tags
Referenced Files
F34617729: T289408.patch
Aug 23 2021, 10:38 AM
F34617703: T289408-.19.patch
Aug 23 2021, 10:20 AM
F34614740: T289408.patch
Aug 21 2021, 8:03 PM
Subscribers
Aklapper
Daimona
Etonkovidova
kostajh
mewoph
sbassett
Tgr
Urbanecm_WMF

Description

Steps to reproduce
  1. On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
  2. Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline and add <script>alert('XSS');</script> somewhere to the message
  3. Login with an account that's on the mentors list.
  4. Go to Special:MentorDashboard
  5. Alert gets displayed

The same applies for a bunch of other messages:

  • growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline
  • growthexperiments-mentor-dashboard-mentee-overview-info-text
  • growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline
  • growthexperiments-mentor-dashboard-mentee-overview-active-ago
Notes

Pattern: Usage of $('<el>').append(<unescaped string>)

Solution: Use jQuery's .text() to trigger escaping on jQuery's end, or use mw.message(...).escaped() or mw.message(...).parse() instead to trigger escaping on MW's end.

Details

Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
SECURITY: Fix a bunch of XSS holes in Mentor dashboardmediawiki/extensions/GrowthExperimentsmaster+8 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

Urbanecm_WMF claimed this task.Aug 21 2021, 8:01 PM
Urbanecm_WMF triaged this task as High priority.
Urbanecm_WMF created this task.
Urbanecm_WMF added projects: GrowthExperiments-MentorDashboard, Growth-Team (Sprint 0 (Growth Team)), User-Urbanecm_WMF (Engineering).
Urbanecm_WMF moved this task from Incoming to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.Aug 21 2021, 8:03 PM

T289408.patch4 KBDownload

and here is a patch that should fix this.

Urbanecm_WMF moved this task from Backlog to In review on the User-Urbanecm_WMF (Engineering) board.Aug 21 2021, 8:09 PM
Urbanecm_WMF added a project: Patch-For-Review.Aug 21 2021, 11:32 PM
kostajh added a comment.Aug 23 2021, 8:54 AM
In T289408#7299399, @Urbanecm_WMF wrote:

T289408.patch4 KBDownload

and here is a patch that should fix this.

LGTM

Urbanecm_WMF added a comment.Aug 23 2021, 10:20 AM

Thanks @kostajh! Patched in prod with a slightly amended version of this patch:

T289408-.19.patch2 KBDownload

because icons aren't in wmf.19.

Not sure what to do with the part that will ride with wmf.20.

Urbanecm_WMF added a comment.Aug 23 2021, 10:29 AM
In T289408#7300862, @Urbanecm_WMF wrote:

[...]
Not sure what to do with the part that will ride with wmf.20.

Amir suggests waiting for wmf.20 and then patching it. Will do that as soon as wmf.20 is out.

Urbanecm_WMF added a project: Vuln-XSS.Aug 23 2021, 10:29 AM
Urbanecm_WMF added a comment.Aug 23 2021, 10:38 AM

T289408.patch4 KBDownload

and this is a patch that cleanly applies to curret master.

Urbanecm_WMF moved this task from Code Review to Test in Production | Watching on the Growth-Team (Sprint 0 (Growth Team)) board.Aug 23 2021, 10:44 AM
Urbanecm_WMF moved this task from In review to Backlog on the User-Urbanecm_WMF (Engineering) board.
Urbanecm_WMF moved this task from Backlog to In progress on the User-Urbanecm_WMF (Engineering) board.Aug 23 2021, 3:18 PM
sbassett mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Aug 23 2021, 8:50 PM
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett lowered the priority of this task from High to Low.Aug 24 2021, 3:16 PM

Setting to low for now since patch has been applied to production per T289408#7300862.

Urbanecm_WMF added a comment.Aug 24 2021, 7:02 PM
In T289408#7300866, @Urbanecm_WMF wrote:
In T289408#7300862, @Urbanecm_WMF wrote:

[...]
Not sure what to do with the part that will ride with wmf.20.

Amir suggests waiting for wmf.20 and then patching it. Will do that as soon as wmf.20 is out.

I coordinated with Release Engineering, and T289408#7300892 is now applied for wmf.20 (which will get rolled to testwikis momentarily).

We should be fully patched now (against this particular case).

Urbanecm_WMF changed Author Affiliation from N/A to WMF Product.Aug 24 2021, 8:25 PM
Urbanecm_WMF moved this task from In progress to My Part Done on the User-Urbanecm_WMF (Engineering) board.Sep 3 2021, 6:46 AM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 9 2021, 6:50 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Sep 9 2021, 6:51 PM

Change 720089 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix a bunch of XSS holes in Mentor dashboard

https://gerrit.wikimedia.org/r/720089

gerritbot added a comment.Sep 9 2021, 7:44 PM

Change 720089 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix a bunch of XSS holes in Mentor dashboard

https://gerrit.wikimedia.org/r/720089

Urbanecm_WMF closed this task as Resolved.Sep 9 2021, 7:45 PM

Merged to master, code in currently supported releases does not include mentor dashboard.

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.23; 2021-09-13).Sep 9 2021, 8:00 PM
sbassett added a parent task: T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Sep 10 2021, 3:06 AM
sbassett renamed this task from Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) to Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044).Oct 7 2021, 8:35 PM
Urbanecm_WMF added a project: GrowthExperiments-Mentorship.Thu, Jul 4, 5:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits