Page MenuHomePhabricator
Create Task
Maniphest T294879

XSS on croptool.toolforge.org
Closed, ResolvedPublicSecurity
Actions

Description

Go to https://croptool.toolforge.org/?site=<script>alert()</script>&title=Oculus+Quest+II+(50844634326).jpg or https://croptool.toolforge.org/?site=commons.wikimedia.org&title=<script>alert()</script> and view the numerous alert popups.

Furthermore, I was able to create a proof of concept URL which when clicked, would result in a file being uploaded or overwritten. This could potentially also be exploited to overwrite a highly in-use file when clicked by a user with sysop permissions, vandalizing highly visible pages.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Event Timeline

Dylsss created this task.Nov 3 2021, 1:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 3 2021, 1:01 AM
Dylsss added a project: Tools.Nov 3 2021, 1:03 AM
Aklapper added a subscriber: Danmichaelo.Nov 3 2021, 8:14 AM

Thanks for reporting this!
CC'ing @Danmichaelo per https://admin.toolforge.org/tools (but not sure how active they are; plus there is also https://github.com/danmichaelo/croptool )

Aklapper added a project: Vuln-XSS.Nov 3 2021, 8:15 AM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.Nov 3 2021, 2:01 PM
Dylsss added a comment.EditedNov 24 2021, 1:29 AM

In app.js

config(['$translateProvider', function($translateProvider) {
    $translateProvider.useSanitizeValueStrategy('escapeParameters');
    $translateProvider.useStaticFilesLoader({
        prefix: 'locale/',
        suffix: '.json'
    });
    $translateProvider.useSanitizeValueStrategy('sceParameters');
    $translateProvider.preferredLanguage('en');
}]).

It seems that the interpolation parameters are trusted as HTML and thus not escaped due to this line

$translateProvider.useSanitizeValueStrategy('sceParameters');

I removed this line and it fixed the XSS locally.

Aklapper added a comment.Jan 19 2022, 10:04 PM

@Danmichaelo: Could you please answer? Thanks in advance!

Danmichaelo closed this task as Resolved.Jun 6 2022, 8:48 PM
Danmichaelo claimed this task.

@Aklapper @Dylsss Sorry that I missed this, have been on a wikibreak and missed the notifications!

Thanks a lot for reporting and also suggesting a fix! Have tested and committed the fix in https://github.com/danmichaelo/croptool/commit/70527617a908fa0aecb2d87fd455ac7adac8281f and deployed it now

sbassett triaged this task as Medium priority.Jun 6 2022, 8:57 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits