Page MenuHomePhabricator
Create Task
Maniphest T292795

XSS vulnerability in Special:CheckUserLog (CVE-2021-46150)
Closed, ResolvedPublicSecurity
Actions

Description

Is a bit similar to T285515: CVE-2021-41798: XSS vulnerability in Special:Search.

Steps to reproduce
  1. Perform a CheckUser request so that the CheckUser log is not empty.
  2. Set MediaWiki:October to <img src=x onerror=alert(1)>
  3. Go to Special:CheckUserLog
  4. Enjoy your alert box.

xss_checkuser.png (859×1 px, 89 KB)

This is possible due to the date value not being escaped.

$rowContent = $this->msg(
	'checkuser-log-entry-' . $row->cul_type,
	$user,
	$target,
	$lang->userTimeAndDate( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser ),
	$lang->userDate( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser ),
	$lang->userTime( wfTimestamp( TS_MW, $row->cul_timestamp ), $contextUser )
)->text();

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Escape date valuesmediawiki/extensions/CheckUserREL1_35+9 -3
SECURITY: Escape date valuesmediawiki/extensions/CheckUserREL1_37+9 -3
SECURITY: Escape date valuesmediawiki/extensions/CheckUserREL1_36+9 -3
SECURITY: Escape date valuesmediawiki/extensions/CheckUsermaster+9 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Zabe created this task.Oct 7 2021, 9:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2021, 9:37 PM
Zabe claimed this task.Oct 7 2021, 9:38 PM
Zabe added projects: Vuln-XSS, CheckUser, User-Zabe.

0001-SECURITY-Escape-date-values.patch1 KBDownload

proposed patch

sbassett triaged this task as Low priority.Oct 13 2021, 6:23 PM
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.EditedOct 13 2021, 6:26 PM
sbassett added subscribers: Mstyles, sbassett.

This should be fairly low-risk, at least within Wikimedia production, as one would have to be able to exploit various date-related messages or have elevated on-wiki privileges to edit objects within the MediaWiki namespace. Like many similar MediaWiki message issues (as tracked at T2212 and elsewhere), we can push the above patch (+1) through gerrit this Monday (2021-10-18) and have it go out with wmf.5 next week. @Mstyles and I can likely handle that.

sbassett added a project: SecTeam-Processed.Oct 13 2021, 6:34 PM
sbassett added a comment.Oct 18 2021, 6:21 PM

gerritbot: https://gerrit.wikimedia.org/r/731784

sbassett added a subscriber: GerritBot.Oct 18 2021, 6:23 PM
sbassett edited subscribers, added: gerritbot; removed: GerritBot.
gerritbot added a comment.Oct 18 2021, 6:41 PM

Change 731784 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731784

sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Oct 18 2021, 6:42 PM
gerritbot added a comment.Oct 18 2021, 6:43 PM

Change 731763 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CheckUser@REL1_37] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731763

gerritbot added a project: Patch-For-Review.Oct 18 2021, 6:43 PM

Change 731764 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CheckUser@REL1_36] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731764

gerritbot added a comment.Oct 18 2021, 7:18 PM

Change 731764 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_36] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731764

gerritbot added a comment.Oct 18 2021, 8:05 PM

Change 731763 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_37] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731763

Jdforrester-WMF added projects: MW-1.38-notes (1.38.0-wmf.5; 2021-10-19), MW-1.37-notes, MW-1.36-notes, MW-1.35-notes.Oct 18 2021, 11:21 PM
gerritbot added a comment.Oct 19 2021, 1:18 PM

Change 731949 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731949

sbassett removed a project: Patch-For-Review.EditedOct 21 2021, 7:11 PM

All of the backports have landed and everything is on wmf.5 in Wikimedia production, so I'm going to make this task public. This issue will be re-announced within the next supplemental security release.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 21 2021, 7:12 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Reedy closed this task as Resolved.Nov 3 2021, 6:40 PM
Reedy added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).
gerritbot added a comment.Nov 3 2021, 6:44 PM

Change 731949 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Escape date values

https://gerrit.wikimedia.org/r/731949

mmartorana renamed this task from XSS vulnerability in Special:CheckUserLog to XSS vulnerability in Special:CheckUserLog (CVE-2021-46150).Jan 10 2022, 5:01 PM
Zabe removed a project: User-Zabe.Apr 13 2022, 12:50 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL