Page MenuHomePhabricator

Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part)
Closed, ResolvedPublicSecurity

Description

Steps to reproduce
  1. On any wiki with mentor dashboard enabled (as-of writing, testwiki and some beta wikis), log in with an account that has ability to edit ordinary NS_MEDIAWIKI pages (sysop or similar)
  2. Go to MediaWiki:Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline and add <script>alert('XSS');</script> somewhere to the message
  3. Login with an account that's on the mentors list.
  4. Go to Special:MentorDashboard
  5. Alert gets displayed

The same applies for a bunch of other messages:

  • growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline
  • growthexperiments-mentor-dashboard-mentee-overview-info-text
  • growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline
  • growthexperiments-mentor-dashboard-mentee-overview-active-ago
Notes

Pattern: Usage of $('<el>').append(<unescaped string>)

Solution: Use jQuery's .text() to trigger escaping on jQuery's end, or use mw.message(...).escaped() or mw.message(...).parse() instead to trigger escaping on MW's end.

Related Objects

StatusSubtypeAssignedTask
OpenSecurityNone
ResolvedSecurityUrbanecm_WMF

Event Timeline

and here is a patch that should fix this.

and here is a patch that should fix this.

LGTM

Thanks @kostajh! Patched in prod with a slightly amended version of this patch:

because icons aren't in wmf.19.

Not sure what to do with the part that will ride with wmf.20.

[...]
Not sure what to do with the part that will ride with wmf.20.

Amir suggests waiting for wmf.20 and then patching it. Will do that as soon as wmf.20 is out.

and this is a patch that cleanly applies to curret master.

sbassett lowered the priority of this task from High to Low.Aug 24 2021, 3:16 PM

Setting to low for now since patch has been applied to production per T289408#7300862.

[...]
Not sure what to do with the part that will ride with wmf.20.

Amir suggests waiting for wmf.20 and then patching it. Will do that as soon as wmf.20 is out.

I coordinated with Release Engineering, and T289408#7300892 is now applied for wmf.20 (which will get rolled to testwikis momentarily).

We should be fully patched now (against this particular case).

Urbanecm_WMF changed Author Affiliation from N/A to WMF Product.Aug 24 2021, 8:25 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Thu, Sep 9, 6:50 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Change 720089 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix a bunch of XSS holes in Mentor dashboard

https://gerrit.wikimedia.org/r/720089

Change 720089 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix a bunch of XSS holes in Mentor dashboard

https://gerrit.wikimedia.org/r/720089

Merged to master, code in currently supported releases does not include mentor dashboard.

sbassett added a parent task: Restricted Task.Fri, Sep 10, 3:06 AM