Page MenuHomePhabricator

XSS on croptool.toolforge.org
Closed, ResolvedPublicSecurity

Description

Go to https://croptool.toolforge.org/?site=<script>alert()</script>&title=Oculus+Quest+II+(50844634326).jpg or https://croptool.toolforge.org/?site=commons.wikimedia.org&title=<script>alert()</script> and view the numerous alert popups.

Furthermore, I was able to create a proof of concept URL which when clicked, would result in a file being uploaded or overwritten. This could potentially also be exploited to overwrite a highly in-use file when clicked by a user with sysop permissions, vandalizing highly visible pages.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Event Timeline

Thanks for reporting this!
CC'ing @Danmichaelo per https://admin.toolforge.org/tools (but not sure how active they are; plus there is also https://github.com/danmichaelo/croptool )

In app.js

config(['$translateProvider', function($translateProvider) {
    $translateProvider.useSanitizeValueStrategy('escapeParameters');
    $translateProvider.useStaticFilesLoader({
        prefix: 'locale/',
        suffix: '.json'
    });
    $translateProvider.useSanitizeValueStrategy('sceParameters');
    $translateProvider.preferredLanguage('en');
}]).

It seems that the interpolation parameters are trusted as HTML and thus not escaped due to this line

$translateProvider.useSanitizeValueStrategy('sceParameters');

I removed this line and it fixed the XSS locally.

@Danmichaelo: Could you please answer? Thanks in advance!

Danmichaelo claimed this task.

@Aklapper @Dylsss Sorry that I missed this, have been on a wikibreak and missed the notifications!

Thanks a lot for reporting and also suggesting a fix! Have tested and committed the fix in https://github.com/danmichaelo/croptool/commit/70527617a908fa0aecb2d87fd455ac7adac8281f and deployed it now

sbassett triaged this task as Medium priority.Jun 6 2022, 8:57 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.