Page MenuHomePhabricator
Create Task
Maniphest T294693

XSS on page information Wikibase central description (CVE-2021-45473)
Closed, ResolvedPublicSecurity
Actions

Description

Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the "page information" sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the "Central description" row.

Details

SubjectRepoBranchLines +/-
Escape description before outputting it in action=infomediawiki/extensions/WikibaseREL1_37+1 -1
Escape description before outputting it in action=infomediawiki/extensions/WikibaseREL1_36+1 -1
Escape description before outputting it in action=infomediawiki/extensions/Wikibasemaster+1 -1
Escape description before outputting it in action=infomediawiki/extensions/WikibaseREL1_35+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dylsss created this task.Oct 30 2021, 8:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 30 2021, 8:06 PM
Dylsss added a project: Vuln-XSS.Oct 30 2021, 8:13 PM
Dylsss updated the task description. (Show Details)
Urbanecm triaged this task as High priority.Oct 30 2021, 8:13 PM
Urbanecm added a project: Wikidata.
Urbanecm subscribed.

Confirmed, thanks for reporting.

Urbanecm added subscribers: Addshore, Lucas_Werkmeister_WMDE, ItamarWMDE.Oct 30 2021, 8:23 PM

T294693.patch1004 BDownload

@Addshore @Lucas_Werkmeister_WMDE @ItamarWMDE Can someone review please?

Urbanecm claimed this task.Oct 30 2021, 8:23 PM
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptOct 30 2021, 8:23 PM
Reedy added a project: MediaWiki-extensions-WikibaseClient.Nov 1 2021, 3:37 PM
Reedy added a project: [DEPRECATED] wdwb-tech.
Reedy moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
Reedy added a project: SecTeam-Processed.Nov 1 2021, 4:05 PM
Mstyles subscribed.Nov 1 2021, 9:11 PM

As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!

Addshore added subscribers: noarave, Michael.Nov 1 2021, 10:18 PM
Lucas_Werkmeister_WMDE added a comment.Nov 8 2021, 10:07 AM

Patch looks good to me and fixes the issue locally.

WMDE-leszek subscribed.Nov 8 2021, 10:08 AM
Lucas_Werkmeister_WMDE added a comment.Nov 8 2021, 10:10 AM

I’ll try to deploy the security patch to wmf.7 (and also wmf.6 since T293948: 1.38.0-wmf.7 deployment blockers isn’t closed yet).

Lucas_Werkmeister_WMDE added a comment.Nov 8 2021, 10:26 AM

Security patch deployed and added to /srv/patches.

Lucas_Werkmeister_WMDE added a comment.Nov 8 2021, 10:30 AM

Fix tested on Test Wikidata and Test Wikipedia (action=info showed the HTML-escaped description; I’ve revdeleted the relevant edits).

Lucas_Werkmeister_WMDE added a subscriber: Jakob_WMDE.Nov 8 2021, 10:33 AM
Addshore added a subscriber: Tgr.Nov 8 2021, 11:12 AM
Lucas_Werkmeister_WMDE added a subscriber: Tarrow.Nov 8 2021, 12:25 PM
sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Nov 8 2021, 9:52 PM
sbassett subscribed.
In T294693#7488604, @Lucas_Werkmeister_WMDE wrote:

Security patch deployed and added to /srv/patches.

Thanks for the deploys. Also tracking this issue at T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) and {T276237}.

sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Nov 8 2021, 9:54 PM
Jakob_WMDE added a subscriber: toan.Nov 9 2021, 8:12 AM
Addshore added a project: Wikibase Release Strategy.Nov 9 2021, 9:26 AM
Addshore added subscribers: Samantha_Alipio_WMDE, rosalieper, Deniz_WMDE and 2 others.
toan added a subscriber: Rosalie_WMDE.Nov 16 2021, 2:27 PM
toan added a subscriber: Mohammed_Sadat_WMDE.Nov 25 2021, 4:58 PM
Addshore moved this task from Inbox to Active on the [DEPRECATED] wdwb-tech board.Nov 30 2021, 8:37 AM
WMDE-leszek added a subscriber: Reedy.Nov 30 2021, 10:11 AM

@sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

WMDE-leszek added a comment.Nov 30 2021, 10:12 AM

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

Jdforrester-WMF added a project: MW-1.38-notes (1.38.0-wmf.12; 2021-12-06).Nov 30 2021, 2:15 PM
sbassett added a subscriber: gerritbot.Nov 30 2021, 3:30 PM
sbassett added a comment.Nov 30 2021, 3:35 PM
In T294693#7536805, @WMDE-leszek wrote:

@sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it's fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that's pretty much everything left to do at this point.

WMDE-leszek changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 30 2021, 4:21 PM
WMDE-leszek changed the edit policy from "Custom Policy" to "All Users".
Zabe subscribed.Dec 6 2021, 5:57 PM
sbassett closed this task as Resolved.Dec 21 2021, 5:51 PM
sbassett added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 23 2021, 5:25 PM
MoritzMuehlenhoff renamed this task from XSS on page information Wikibase central description to XSS on page information Wikibase central description (CVE-2021-45473).Dec 24 2021, 10:55 AM
Lucas_Werkmeister_WMDE mentioned this in T298767: Security Issue Access Request for Lucas_Werkmeister_WMDE.Jan 7 2022, 11:44 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL