Page MenuHomePhabricator
Create Task
Maniphest T296605

XSS in Special:ImportFile URL (CVE-2021-45474)
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Description

Go to https://commons.wikimedia.org/wiki/Special:ImportFile?clientUrl=https://en.wikipedia.org/<img/src/onerror=alert()> and view the alert popup. Any valid import source followed by a payload without spaces (as spaces are replaced with underscores) is unescaped and interpreted as actual HTML.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Fix special page displaying unescaped user inputmediawiki/extensions/FileImporterwmf/1.38.0-wmf.10+1 -1
Fix special page displaying unescaped user inputmediawiki/extensions/FileImporterREL1_35+1 -1
Fix special page displaying unescaped user inputmediawiki/extensions/FileImporterREL1_36+1 -1
Fix special page displaying unescaped user inputmediawiki/extensions/FileImporterREL1_37+1 -1
Fix special page displaying unescaped user inputmediawiki/extensions/FileImportermaster+1 -1
Fix special page displaying unescaped user inputmediawiki/extensions/FileImporterwmf/1.38.0-wmf.9+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dylsss created this task.Nov 29 2021, 2:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2021, 2:42 AM
Dylsss added projects: Vuln-XSS, Move-Files-To-Commons.Nov 29 2021, 2:44 AM
Dylsss updated the task description. (Show Details)
Dylsss updated the task description. (Show Details)Nov 29 2021, 2:47 AM
Dylsss updated the task description. (Show Details)Nov 29 2021, 2:50 AM
Dylsss updated the task description. (Show Details)Nov 29 2021, 3:04 AM
sbassett moved this task from Incoming to Watching on the Security-Team board.Nov 29 2021, 5:02 PM
sbassett added a project: SecTeam-Processed.
sbassett added subscribers: thiemowmde, Addshore, WMDE-Fisch and 2 others.

Confirmed as a legitimate XSS for auth'd users. Hopefully we can get a patch up soon for this (please do not send it through gerrit) and get it deployed sooner than later.

thiemowmde claimed this task.Nov 29 2021, 5:49 PM
thiemowmde set the point value for this task to 1.
thiemowmde added a project: WMDE-TechWish-Sprint-2021-11-24.
thiemowmde moved this task from Backlog to Tickets in sprint on the Move-Files-To-Commons board.
thiemowmde moved this task from Sprint Backlog to Tech Review on the WMDE-TechWish-Sprint-2021-11-24 board.
thiemowmde added a subscriber: awight.
thiemowmde added a comment.Nov 29 2021, 5:52 PM

Oh no, I missed the "not Gerrit" comment. The patch is super trivial: https://gerrit.wikimedia.org/r/742501. I gave it a vague but still correct commit message to not catch extra attention. Unfortunately I'm probably not able to assist a backport.

sbassett added a subscriber: gerritbot.Nov 29 2021, 6:24 PM
sbassett added a comment.Nov 29 2021, 7:31 PM

@thiemowmde - Ok. It'd be nice to get maybe one more +1 on the patch from someone closer to the code, but I'm fine +2'ing later and picking to wmf.9 for a deploy during today's security window (UTC 22:00).

gerritbot added a comment.Nov 29 2021, 7:46 PM

Change 742263 had a related patch set uploaded (by SBassett; author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.9] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/742263

gerritbot added a project: Patch-For-Review.Nov 29 2021, 7:46 PM
sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Nov 29 2021, 7:54 PM
gerritbot added a comment.Nov 29 2021, 10:14 PM

Change 742263 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.9] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/742263

sbassett added a comment.Nov 29 2021, 10:23 PM

Deployed as a backport to wmf.9. The XSS for the commons url in the task description no longer works and instead throws a proper error. Logstash seems happy for now, but I'll continue to keep an eye on it. And the master patch should merge soon as well, making the cut for wmf.11 tomorrow. So no need to keep a security patch up on deployment. Also tracked at T292236 and T276237.

sbassett triaged this task as Low priority.Nov 29 2021, 10:24 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett removed a project: Patch-For-Review.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed Risk Rating from N/A to Low.
gerritbot added a comment.Nov 29 2021, 10:34 PM

Change 742501 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@master] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/742501

Jdforrester-WMF added a project: MW-1.38-notes (1.38.0-wmf.9; 2021-11-16).Nov 30 2021, 2:44 AM
WMDE-Fisch moved this task from Tech Review to Demo on the WMDE-TechWish-Sprint-2021-11-24 board.Dec 2 2021, 8:15 AM
thiemowmde added a subscriber: lilients_WMDE.Dec 7 2021, 9:51 AM
WMDE-Fisch moved this task from Demo to Done on the WMDE-TechWish-Sprint-2021-11-24 board.Dec 7 2021, 9:52 AM
WMDE-Fisch closed this task as Resolved.Dec 7 2021, 9:58 AM

I guess this can be closed now. Please feel free re-open if there's anything remaining that needs to be taken care of.

sbassett added a comment.Dec 7 2021, 4:44 PM
In T296605#7552395, @WMDE-Fisch wrote:

I guess this can be closed now. Please feel free re-open if there's anything remaining that needs to be taken care of.

Yes, this is technically resolved. The remaining work would be:

  1. Making this task public
  2. Pushing any relevant backports up to gerrit
  3. Requesting a CVE and announcing within the next supplemental security release

It should be fine to do the first two whenever WMDE folks would like.

gerritbot added a comment.Dec 9 2021, 10:51 AM

Change 745373 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.10] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745373

gerritbot added a project: Patch-For-Review.Dec 9 2021, 10:51 AM
gerritbot added a comment.Dec 9 2021, 10:55 AM

Change 745374 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@REL1_35] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745374

gerritbot added a comment.Dec 9 2021, 10:56 AM

Change 745375 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@REL1_36] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745375

gerritbot added a comment.Dec 9 2021, 10:56 AM

Change 745376 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@REL1_37] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745376

thiemowmde added a comment.EditedDec 9 2021, 11:01 AM

Personally I'm fine with making this public, but would like to get a go from the security team.

I checked all relevant MediaWiki versions, starting with the deployed ones.

✅ master: done
✅ 1.38.0-wmf.9: done
❌ 1.38.0-wmf.10: not fixed
✅ 1.38.0-wmf.11: done
✅ 1.38.0-wmf.12: done
✅ REL1_35 (current LTS): done
✅ REL1_36 (not obsolete yet): done
✅ REL1_37 (current stable): done

I don't think wmf.10 is relevant in any way. But backporting this is so easy, it can't hurt. I'm not so sure about REL1_36. It's still marked in green in the version lifecycle chart. Anyway, here are all Patch-For-Review:

sbassett added a comment.EditedDec 9 2021, 3:36 PM
In T296605#7559072, @thiemowmde wrote:

Personally I'm fine with making this public, but would like to get a go from the security team.

Yes, I'll make this task public now, as all of the change sets in gerrit are public. It's normally fine to do this once an issue has been patched in Wikimedia production. The only time we really delay disclosure is for anything bundled with the tarball releases. Also, wmf.10 and wmf.11 were both skipped.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 9 2021, 3:37 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Dec 9 2021, 3:43 PM

Change 745376 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@REL1_37] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745376

gerritbot added a comment.Dec 9 2021, 3:43 PM

Change 745375 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@REL1_36] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745375

gerritbot added a comment.Dec 9 2021, 3:44 PM

Change 745374 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@REL1_35] Fix special page displaying unescaped user input

https://gerrit.wikimedia.org/r/745374

gerritbot added a comment.Dec 13 2021, 9:39 AM

Change 745373 abandoned by WMDE-Fisch:

[mediawiki/extensions/FileImporter@wmf/1.38.0-wmf.10] Fix special page displaying unescaped user input

Reason:

.10 will never be deployed anywhere it seems.

https://gerrit.wikimedia.org/r/745373

sbassett added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 23 2021, 5:25 PM
MoritzMuehlenhoff renamed this task from XSS in Special:ImportFile URL to XSS in Special:ImportFile URL (CVE-2021-45474).Dec 24 2021, 10:55 AM
Zabe subscribed.Dec 25 2021, 9:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL