Go to https://commons.wikimedia.org/wiki/Special:ImportFile?clientUrl=https://en.wikipedia.org/<img/src/onerror=alert()> and view the alert popup. Any valid import source followed by a payload without spaces (as spaces are replaced with underscores) is unescaped and interpreted as actual HTML.
Description
Details
- Risk Rating
- Low
- Author Affiliation
- Wikimedia Communities
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Reedy | T292226 Release MediaWiki 1.35.5/1.36.3/1.37.1 | |||
Resolved | Mstyles | T292236 Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) | |||
Resolved | Security | thiemowmde | T296605 XSS in Special:ImportFile URL (CVE-2021-45474) |
Event Timeline
Confirmed as a legitimate XSS for auth'd users. Hopefully we can get a patch up soon for this (please do not send it through gerrit) and get it deployed sooner than later.
Oh no, I missed the "not Gerrit" comment. The patch is super trivial: https://gerrit.wikimedia.org/r/742501. I gave it a vague but still correct commit message to not catch extra attention. Unfortunately I'm probably not able to assist a backport.
@thiemowmde - Ok. It'd be nice to get maybe one more +1 on the patch from someone closer to the code, but I'm fine +2'ing later and picking to wmf.9 for a deploy during today's security window (UTC 22:00).
Change 742263 had a related patch set uploaded (by SBassett; author: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.9] Fix special page displaying unescaped user input
Change 742263 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.9] Fix special page displaying unescaped user input
Deployed as a backport to wmf.9. The XSS for the commons url in the task description no longer works and instead throws a proper error. Logstash seems happy for now, but I'll continue to keep an eye on it. And the master patch should merge soon as well, making the cut for wmf.11 tomorrow. So no need to keep a security patch up on deployment. Also tracked at T292236 and T276237.
Change 742501 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@master] Fix special page displaying unescaped user input
I guess this can be closed now. Please feel free re-open if there's anything remaining that needs to be taken care of.
Yes, this is technically resolved. The remaining work would be:
- Making this task public
- Pushing any relevant backports up to gerrit
- Requesting a CVE and announcing within the next supplemental security release
It should be fine to do the first two whenever WMDE folks would like.
Change 745373 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.10] Fix special page displaying unescaped user input
Change 745374 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@REL1_35] Fix special page displaying unescaped user input
Change 745375 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@REL1_36] Fix special page displaying unescaped user input
Change 745376 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@REL1_37] Fix special page displaying unescaped user input
Personally I'm fine with making this public, but would like to get a go from the security team.
I checked all relevant MediaWiki versions, starting with the deployed ones.
✅ master: done
✅ 1.38.0-wmf.9: done
❌ 1.38.0-wmf.10: not fixed
✅ 1.38.0-wmf.11: done
✅ 1.38.0-wmf.12: done
✅ REL1_35 (current LTS): done
✅ REL1_36 (not obsolete yet): done
✅ REL1_37 (current stable): done
I don't think wmf.10 is relevant in any way. But backporting this is so easy, it can't hurt. I'm not so sure about REL1_36. It's still marked in green in the version lifecycle chart. Anyway, here are all Patch-For-Review:
- wmf/1.38.0-wmf.10: https://gerrit.wikimedia.org/r/745373
- REL1_35: https://gerrit.wikimedia.org/r/745374
- REL1_36: https://gerrit.wikimedia.org/r/745375
- REL1_37: https://gerrit.wikimedia.org/r/745376
Yes, I'll make this task public now, as all of the change sets in gerrit are public. It's normally fine to do this once an issue has been patched in Wikimedia production. The only time we really delay disclosure is for anything bundled with the tarball releases. Also, wmf.10 and wmf.11 were both skipped.
Change 745376 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@REL1_37] Fix special page displaying unescaped user input
Change 745375 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@REL1_36] Fix special page displaying unescaped user input
Change 745374 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@REL1_35] Fix special page displaying unescaped user input
Change 745373 abandoned by WMDE-Fisch:
[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.10] Fix special page displaying unescaped user input
Reason:
.10 will never be deployed anywhere it seems.