Page MenuHomePhabricator

XSS on page information Wikibase central description
Open, HighPublicSecurity

Description

Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the "page information" sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the "Central description" row.

Event Timeline

Urbanecm added a project: Wikidata.
Urbanecm added a subscriber: Urbanecm.

Confirmed, thanks for reporting.

As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!

Patch looks good to me and fixes the issue locally.

I’ll try to deploy the security patch to wmf.7 (and also wmf.6 since T293948: 1.38.0-wmf.7 deployment blockers isn’t closed yet).

Security patch deployed and added to /srv/patches.

Fix tested on Test Wikidata and Test Wikipedia (action=info showed the HTML-escaped description; I’ve revdeleted the relevant edits).

Security patch deployed and added to /srv/patches.

Thanks for the deploys. Also tracking this issue at {T292236} and {T276237}.

@sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

@sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it's fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that's pretty much everything left to do at this point.

WMDE-leszek changed the visibility from "Custom Policy" to "Public (No Login Required)".Tue, Nov 30, 4:21 PM
WMDE-leszek changed the edit policy from "Custom Policy" to "All Users".