Page MenuHomePhabricator

XSS vulnerability in the 'setchange' log (CVE-2021-42041)
Closed, ResolvedPublicSecurity

Description

Steps to reproduce
  1. Create some wikiset and change its wikis so that there is a log entry containing (none).
  2. Set MediaWiki:rightsnone to <img src=x onerror=alert(1)>.
  3. Either go to Special:Log or to Special:WikiSets/1 (the number of the edited wiki set needs to be choosen here).
  4. Enjoy your alert box.

xss_wikisets.png (932×1 px, 113 KB)

This is possible due to an unescaped message:

case 'setchange':
	$args = [
		$params[1] ?: wfMessage( 'rightsnone' )->text(),
		$params[2] ?: wfMessage( 'rightsnone' )->text()
	];
	break

Event Timeline

proposed patch

sbassett subscribed.

+1 to the patch above. Didn't test but this is a trivial change and we can also track the issue at T285414. Is this an issue on the projects though? MediaWiki:Rightsnone doesn't seem to be a valid message on any project right now and you'd need int-admin to edit/restore it, no? Given all of that, I think this is lower-risk and could likely wait to be deployed during this coming Monday's security window.

sbassett triaged this task as Medium priority.Sep 24 2021, 8:55 PM
sbassett changed Risk Rating from N/A to Medium.

proposed patch

Tested locally, confirmed to work, +2

+1 to the patch above. Didn't test but this is a trivial change and we can also track the issue at T285414.

Don't know what that task is since I can't see it, but sure.

Is this an issue on the projects though? MediaWiki:Rightsnone doesn't seem to be a valid message on any project right now

Maybe I am missunderstanding you but it is definetly used, here a random log entry: https://meta.wikimedia.org/w/index.php?title=Special:Log&logid=43404538. And the message can be overriden at https://meta.wikimedia.org/wiki/MediaWiki:Rightsnone.

and you'd need int-admin to edit/restore it, no?

Normal sysops can manipulate those, basically everyone with the editinterface permission.

Given all of that, I think this is lower-risk and could likely wait to be deployed during this coming Monday's security window.

Update: The Security-Team will plan to deploy this to 1.38.0-wmf.1 during today's security window.

Don't know what that task is since I can't see it, but sure.

It's a tracking task for the next supplemental security release, where this bug would be tracked and disclosed since CA isn't part of core or bundled. I've subbed you but it's acl*security right now, so you likely still can't see it. But that's what that task is about.

Maybe I am missunderstanding you but it is definetly used, here a random log entry: https://meta.wikimedia.org/w/index.php?title=Special:Log&logid=43404538. And the message can be overriden at https://meta.wikimedia.org/wiki/MediaWiki:Rightsnone.
Normal sysops can manipulate those, basically everyone with the editinterface permission.

Sure, but meta:MediaWiki:Rightsnone currently displays the delete msg: This page does not exist. The deletion, protection, and move log for the page are provided below for reference. And typically only cn-admins, int-admins and admins have editinterface, which are already trusted users with many privileges, hence this being a fairly low-risk XSS IMO. But per the update above, we'll plan to get this deployed today, certainly as a code-hardening measure.

This security patch was deployed on Sept 27: https://sal.toolforge.org/log/15laKXwBa_6PSCT9t46S
Everything looked good on logstash, no errors seen. Feel free to test.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 1 2021, 8:14 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from Medium to Low.

Change 725367 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@master] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725367

Change 725277 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_37] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725277

Change 725278 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_36] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725278

Change 725279 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_35] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725279

Change 725367 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725367

Change 725277 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_37] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725277

Change 725278 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725278

Change 725279 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_35] SECURITY: Pass escaped HTML to the 'setchange' log

https://gerrit.wikimedia.org/r/725279

sbassett moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett removed a project: Patch-For-Review.
sbassett renamed this task from XSS vulnerability in the 'setchange' log to XSS vulnerability in the 'setchange' log (CVE-2021-42041).Oct 7 2021, 8:36 PM