Page MenuHomePhabricator

CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete
Closed, ResolvedPublicSecurity

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Be sure your wiki has files uploaded (non-pdfs)
  • Go to [[MediaWiki:Widthheight]] and append "<script>alert('XSS widthheight');</script>"
  • Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts

This is from ImageHandler::getDimensionsString and also includes "widthheightpage" for pdfs.
It affects all gallery which shows dimensions, that is not true for parser/wikitext.
The default depends on $wgGalleryOptions.
Categories with files are affected
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.

A second case:

  • Log in as sysop
  • Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
  • In the file history click "(change visibility)" and you will get the alert.

For the second case the escaped is also missing for message "nbytes" in RevDelFileItem::getHTML

What happens?:
javascript alerts are shown.

What should have happened instead?:
No javascript alert should be shown. The script tag must be presented as visible text.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc: current master

Event Timeline

Only priviliged user can edit messages, but the use of Special:RevisionDelete also affects oversights.

I am not sure if problems with message escaping should be public or better private like this. Feel free to change as needed.

Thanks for filling the task. Definitely let's keep this private (at least for now) – this is an active vulnerability (although it requires sysop rights to exploit).

We've resolved many issues like this in public in the past (recent examples:  1   2 ).

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

This should just be a simple s/text/escaped/ here and here, correct?

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as low risk if a patch can go through gerrit on a Monday just prior to the train cut.

This should just be a simple s/text/escaped/ here and here, correct?

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as low risk if a patch can go through gerrit on a Monday just prior to the train cut.

The return value of ImageHandler::getDimensionsString is escaped by the caller (at least in ImageHistoryList) and should be wrapped with htmlspecialchars in the Gallery here

The second part in RevDelFileItem is okay with /text/escaped/ replace.

First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

That works and looks very good. +2

Change 752728 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@master] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/752728

Change 752728 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/752728

Change 752285 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@REL1_37] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/752285

Change 752285 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/752285

Change 753496 had a related patch set uploaded (by Umherirrender; author: SBassett):

[mediawiki/core@REL1_36] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/753496

Change 753497 had a related patch set uploaded (by Umherirrender; author: SBassett):

[mediawiki/core@REL1_35] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/753497

Change 753497 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/753497

Change 753496 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: properly escape output used within galleries and Special:RevisionDelete

https://gerrit.wikimedia.org/r/753496

sbassett claimed this task.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett added a project: user-sbassett.
Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mar 28 2022, 1:52 PM
Reedy renamed this task from CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mar 30 2022, 6:02 PM