Page MenuHomePhabricator
Create Task
Maniphest T290692

Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042)
Closed, ResolvedPublicSecurity
Actions

Description

Similar to other subtasks of T289067: Audit GrowthExperiments for XSS vulnerabilities.

Affected message is growthexperiments-edit-config-error-invalid-title -- any content added there will be included as raw HTML in Special:EditGrowthConfig, if config page is improperly configured.

Wiki admin can intentionally make that form include growthexperiments-edit-config-error-invalid-title by changing content model of MediaWiki:NewcomerTasks.json.

Details

Risk Rating
Low
Author Affiliation
WMF Product
ProjectBranchLines +/-Subject
mediawiki/extensions/GrowthExperimentsmaster+1 -1SECURITY: Fix XSS in SpecialEditGrowthConfig
mediawiki/extensions/GrowthExperimentsREL1_37+1 -1SECURITY: Fix XSS in SpecialEditGrowthConfig
Customize query in gerrit

Related Objects
Search...

Event Timeline

Urbanecm_WMF created this task.Sep 9 2021, 8:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2021, 8:36 PM
Urbanecm_WMF claimed this task.Sep 9 2021, 8:36 PM
Urbanecm_WMF triaged this task as High priority.
Urbanecm_WMF added projects: GrowthExperiments-CommunityConfiguration, Growth-Team (Current Sprint).
Urbanecm_WMF added a parent task: T289067: Audit GrowthExperiments for XSS vulnerabilities.
Restricted Application added a project: User-Urbanecm_WMF. · View Herald TranscriptSep 9 2021, 8:36 PM
Urbanecm_WMF added a comment.Sep 9 2021, 8:37 PM

T290692.patch936 BDownload

Urbanecm_WMF added subscribers: kostajh, Tgr, Etonkovidova.Sep 9 2021, 8:37 PM
Aklapper added a project: Vuln-XSS.Sep 9 2021, 8:48 PM
Urbanecm_WMF moved this task from Untriaged to Engineering on the User-Urbanecm_WMF board.Sep 9 2021, 8:49 PM
Urbanecm_WMF edited projects, added User-Urbanecm_WMF (Engineering); removed User-Urbanecm_WMF.
Urbanecm_WMF moved this task from Incoming to Code Review on the Growth-Team (Current Sprint) board.
Tgr added a comment.Sep 9 2021, 11:38 PM

CR +2

Tgr added a comment.Sep 10 2021, 12:38 AM

Deployed.

Tgr moved this task from Code Review to QA on the Growth-Team (Current Sprint) board.Sep 10 2021, 12:58 AM
sbassett mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Sep 10 2021, 2:49 AM
sbassett added a subscriber: sbassett.Sep 10 2021, 2:56 AM

Thanks for the deploy, @Tgr. Sal. Also tracked at T285414 and T276237.

sbassett lowered the priority of this task from High to Low.Sep 10 2021, 2:56 AM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett added a parent task: T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Sep 10 2021, 3:06 AM
Urbanecm_WMF added a subscriber: mewoph.Sep 14 2021, 9:43 PM
Urbanecm_WMF moved this task from QA to Test in Production | Watching on the Growth-Team (Current Sprint) board.Sep 18 2021, 4:44 PM
Urbanecm_WMF moved this task from Backlog to My Part Done on the User-Urbanecm_WMF (Engineering) board.
Etonkovidova closed this task as Resolved.Sep 21 2021, 7:39 PM
Urbanecm_WMF reopened this task as Open.Sep 21 2021, 8:53 PM

This needs a backport (watching is probably the most appropriate column for that). I'll do that soon :).

kostajh added a comment.Sep 29 2021, 10:07 AM
In T290692#7370519, @Urbanecm_WMF wrote:

This needs a backport (watching is probably the most appropriate column for that). I'll do that soon :).

@Urbanecm_WMF just checking in on this, any update?

sbassett added a comment.Sep 29 2021, 4:04 PM

@Urbanecm_WMF @kostajh - the Security-Team will handle the backports for this one today, in preparation for the supplemental announcement (T285414), likely to be sent early next week.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 29 2021, 9:11 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
gerritbot added a comment.Sep 29 2021, 9:33 PM

Change 724795 had a related patch set uploaded (by Mstyles; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@REL1_37] SECURITY: Fix XSS in SpecialEditGrowthConfig

https://gerrit.wikimedia.org/r/724795

gerritbot added a project: Patch-For-Review.Sep 29 2021, 9:33 PM
gerritbot added a comment.Sep 29 2021, 9:36 PM

Change 724844 merged by Mstyles:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Fix XSS in SpecialEditGrowthConfig

https://gerrit.wikimedia.org/r/724844

sbassett added a comment.Sep 29 2021, 9:43 PM

Merged to master as well: https://gerrit.wikimedia.org/r/724844. DIdn't apply cleanly to 1.36 or 1.35 - not sure if the relevant code existed back then.

gerritbot added a comment.Sep 29 2021, 9:51 PM

Change 724795 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_37] SECURITY: Fix XSS in SpecialEditGrowthConfig

https://gerrit.wikimedia.org/r/724795

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.3; 2021-10-05).Sep 29 2021, 10:00 PM
Urbanecm_WMF closed this task as Resolved.Sep 30 2021, 7:54 PM
In T290692#7389670, @sbassett wrote:

Merged to master as well: https://gerrit.wikimedia.org/r/724844. DIdn't apply cleanly to 1.36 or 1.35 - not sure if the relevant code existed back then.

I just checked, and no, we added the functionality as part of 1.37. Closing, as there's nothing else to do.

sbassett renamed this task from Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig to Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042).Oct 7 2021, 8:35 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL