Page MenuHomePhabricator

CVE-2021-44855: Blind Stored XSS via Upload Image via URL
Closed, ResolvedPublicSecurity

Description

Hi ,

I Found Blind Stored XSS https://id.wikipedia.org/

Follow me :)

Steps :

  1. Login your account here https://commons.wikimedia.org/
  2. Then upload the Image File here https://commons.wikimedia.org/wiki/Special:UploadWizard
  3. If you have, click "Continue"
  4. Then you will find the features:

This site requires you to provide copyright information for this work, to make sure everyone can legally reuse it.
This file is my own work.
This file is not my own work.

  1. Select "This file is not my own work."
  2. XSS is in the input form "Source & Author(s)"
  3. Next, input the XSS payload in the 2 Input Forms :)

Payloads:

"><img src=c onerror=prompt(document.domain)>
  1. Then if you have, click "Publish File"
  2. Then you will get the URL:

To use the file in a wiki, copy this text into a page:
[[File:HACKED0001231313123123123131.jpg|thumb|"><img src=c onerror=prompt(document.domain)>]]
To link to it in HTML, copy this URL:
https://commons.wikimedia.org/wiki/File:HACKED0001231313123123123131.jpg

  1. Next Edit User Article https://id.wikipedia.org/
  2. Click Insert "Image & Media Tool"
  3. Input the URL of your PHOTO location that has been inserted XSS :)

https://commons.wikimedia.org/wiki/File:HACKED0001231313123123123131.jpg

  1. Look, your photo appears
  2. Then click, and see a pop up appear and XSS is triggered :)

Supporting Report :

  1. Screenshot

Download Now :
https://www.dropbox.com/s/mlleeemug0znhzf/BLIND%20STORED%20XSS%20WIKIPEDIA.jpg?dl=0

  1. Video

Download Now :
https://www.dropbox.com/s/b4uge4kgdw3ves6/BLIND%20STORED%20XSS%20WIKIPEDIA%202.mp4?dl=0

Event Timeline

Hi @Aklapper

Thanks for responds :)

It might be a little different from the previous report, because in the previous report XSS was triggered from Caption and in this report XSS was triggered in Author and Source Name, And XSS was triggered in Blind on Wikipedia Main Page :)

matmarex added a project: VisualEditor.
matmarex added a subscriber: matmarex.

Thanks for the report, I can reproduce the problem.

It's a bug in VisualEditor media dialog, occurring regardless of how the image was uploaded. Several of the image metadata fields are displayed incorrectly. We take the HTML from the API (where the payload is safely escaped), and then remove all formatting from it and treat the resulting plain text as if it was HTML, leading to the bug.

It looks like the bug was already present in the first version of that code from 2015 (rEVED4947420650ec: Transform the search widget to show image details).

It's probably difficult to exploit in practice, since you'd have to trick the user into opening the editor, searching for an image name or URL that you provide, and then inserting that image. (It's not exploitable by simply following a link.)

I'm working on a patch, it's a bit complicated since some metadata fields are supposed to be HTML, and I want to make sure we're handling all cases right.

Patch:

This is the simplest patch that fixes the vulnerability, without double-escaping other fields.

There are some other improvements to be made (fixing raw HTML messages, and avoiding parsing and escaping HTML several times), but I haven't finished investigating that, and we can do those later in public with normal code review.

Reedy renamed this task from [ SECURITY VULNERABILIT ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL to [ SECURITY VULNERABILITY ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL.Oct 18 2021, 1:31 PM

+1 to @matmarex' patch above. The Security-Team should be able to have this deployed by today's security deployment window (21:00 UTC) at the latest.

sbassett changed Risk Rating from N/A to High.

Patch for the other improvements I promised in my previous comment:
[not a security patch, no need to deploy this]

At first I wanted to wait until I can submit it publicly for code review in Gerrit, but then I realized that we'll probably need to wait until the next MediaWiki security release (because VisualEditor is now a bundled extension), and I don't know when that will be and it might be a while. I'm uploading it here so that I don't accidentally lose it, but feel free to review now if you want.

Patch for the other improvements I promised in my previous comment:
[not a security patch, no need to deploy this]

Ok, thanks.

At first I wanted to wait until I can submit it publicly for code review in Gerrit, but then I realized that we'll probably need to wait until the next MediaWiki security release (because VisualEditor is now a bundled extension), and I don't know when that will be and it might be a while. I'm uploading it here so that I don't accidentally lose it, but feel free to review now if you want.

We (mainly @Reedy) have been getting them out pretty consistently at the end of each quarter. So the next one (T292226) would likely be released around that last week or December 2021, or maybe a bit before that due to end-of-the-year holidays, etc.

@Mstyles and I still plan to deploy the security patch from T293589#7435882 in about 15 minutes, along with the one from T293556#7437990.

Mstyles lowered the priority of this task from High to Low.Oct 18 2021, 10:07 PM
Mstyles moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.

Hi @sbassett

After I double checked, it seems this behavior has been fixed.

Can you confirm it?

After I double checked, it seems this behavior has been fixed.

Can you confirm it?

Yes, this issue is now fixed within Wikimedia production. The issue is still private and will be held for the next security release, due out sometime towards the end of December 2021, where it will be publicly disclosed. Thanks again for the report.

FYI, @Esanders has started working on a lint check that would prevent adding vulnerable code in the future: https://github.com/wikimedia/eslint-plugin-no-jquery/pull/284. This is likely to have many false positives, so it might not be practical to enable everywhere, but we're hoping to do it for VisualEditor at least.

@Esanders, @matmarex - That's great. The Security-Team definitely encourages this kind of proactive security development. At some point it might make sense to move a rule a like this to semgrep or another security-related tool, but we can address that at some later date, likely next year when Gitlab should be far more active and the canonical source for most Wikimedia repos.

Reedy renamed this task from [ SECURITY VULNERABILITY ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL to Blind Stored XSS via Upload Image via URL.Oct 22 2021, 8:17 PM
sbassett added a subscriber: Dylsss.

Would be useful to know which branches this applies to/needs backporting to for reference to MW release branches

All of them, the buggy code dates to 2015 (T293589#7435793).

Thanks! Will have to see how trivial the backports are (in a month or so!)

Per conversation with @jeena, rebased security patch which should apply cleanly to wmf.9:

Looks like this should apply fairly cleanly all the way back to REL1_35.

Reedy renamed this task from Blind Stored XSS via Upload Image via URL to CVE-2021-44855: Blind Stored XSS via Upload Image via URL.Dec 13 2021, 3:03 AM

Hi @Reedy @sbassett

Can the URL of this report be disclosed, sir?

Hi @Reedy @sbassett

Can the URL of this report be disclosed, sir?

Hey - @Reedy should have the security release out sometime this week or early next week. At that time, this task will be made public, and the url will be disclosed. We would appreciate if you could wait until this task is officially made public to disclose the url.

Change 747575 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_35] Bug: T293589

https://gerrit.wikimedia.org/r/747575

Change 747582 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_36] Bug: T293589

https://gerrit.wikimedia.org/r/747582

Change 747592 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@master] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747592

Change 747589 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_37] Bug: T293589

https://gerrit.wikimedia.org/r/747589

Change 747593 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_37] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747593

Change 747594 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_36] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747594

Change 747595 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_35] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747595

Change 747575 abandoned by Reedy:

[mediawiki/core@REL1_35] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747575

Change 747589 abandoned by Reedy:

[mediawiki/core@REL1_37] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747589

Change 747582 abandoned by Reedy:

[mediawiki/core@REL1_36] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747582

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 15 2021, 7:52 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".

Change 747595 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_35] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747595

Change 747593 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_37] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747593

Change 747594 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_36] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747594

Change 747592 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@master] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747592

Change 747703 had a related patch set uploaded (by Robert Vogel; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_31] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747703

@aidilarf28 - Just to follow up, the security release is out and this task is now public. Feel free to reference it and the url directly.

Change 747703 abandoned by Robert Vogel:

[mediawiki/extensions/VisualEditor@REL1_31] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

Reason:

https://gerrit.wikimedia.org/r/747703