Page MenuHomePhabricator
Create Task
Maniphest T298481

XSS vulnerability in the FormWizard default gadget on enwiki
Closed, ResolvedPublicSecurity
Actions

Assigned To
Urbanecm
Authored By
MrStradivarius
Jan 3 2022, 2:58 PM
Tags
Referenced Files
F34910909: T298481-urwiki.patch
Jan 7 2022, 11:05 PM
F34910906: T298481-simplewikt.patch
Jan 7 2022, 11:05 PM
F34910882: T298481-bewikimedia.patch
Jan 7 2022, 11:05 PM
F34910889: T298481-lvwiki.patch
Jan 7 2022, 11:05 PM
F34910892: T298481-mediawiki.patch
Jan 7 2022, 11:05 PM
F34910912: T298481-arwiki.patch
Jan 7 2022, 11:05 PM
F34910901: T298481-mswiki.patch
Jan 7 2022, 11:05 PM
F34910886: T298481-gomwiki.patch
Jan 7 2022, 11:05 PM
View All 13 Files
Subscribers
Aklapper
DannyS712
MrStradivarius
sbassett
Urbanecm

Description

There is an XSS vulnerability in the FormWizard gadget on enwiki. If an attacker adds certain wikitext to a page in the Wikipedia namespace, then when a user clicks on that wikitext the attacker's code is run. The gadget is loaded by default, and so the vulnerability affects all logged-in users who haven't explicitly disabled it.

Steps to reproduce:

  1. Log into the English Wikipedia, and make sure that the FormWizard gadget is enabled in your preferences.
  2. Go to any page in the Wikipedia namespace in edit mode (for example, Wikipedia:Sandbox).
  3. Enter the text <div class="wp-formsGadget" data-type="foo&title=User:Mr._Stradivarius/gadgets/alerttest.js" style="font-size:xxx-large;color:blue;text-decoration:underline">Click me</div> in the edit window and click Preview.
  4. Click on the "Click me" pseudo-link that appears in the preview pane.

This loads User:Mr. Stradivarius/gadgets/alerttest.js, which is set to display an alert with the text "Running JS from User:Mr. Stradivarius/gadgets/alerttest.js".

This is tested on Firefox 95.0.1.

The vulnerability is caused by not escaping the configFullPath variable on line 975 of the gadget when it is added to the config URL. This URL is then loaded with jQuery.getScript on line 988. Both the gadget namespace portion and the gadget type portion of the configFullPath variable can be controlled by an attacker; the gadget namespace portion is controlled through the page title, and the gadget type portion is controlled through the data-type attribute of any element on the page with the class "wp-formsGadget". I have chosen the latter for the example above, as it can be used on any page in the Wikipedia namespace.

By injecting a second "title" parameter into the URL, the attacker can override the initial title (a subpage of MediaWiki:Gadget-formWizard) and specify a title of their choice. This makes it possible to run user scripts, as done in the example.

The fix is simple enough (encode configFullPath using encodeURIComponent on line 975), but I am not sure if copies of the gadget are being used on other wikis, and if the fix needs to be coordinated with them.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

MrStradivarius created this task.Jan 3 2022, 2:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2022, 2:58 PM
MrStradivarius added a project: FormWizard-Gadget.Jan 3 2022, 3:00 PM
DannyS712 updated the task description. (Show Details)Jan 3 2022, 11:40 PM
DannyS712 subscribed.Jan 3 2022, 11:45 PM

https://meta.wikimedia.org/wiki/Meta:FormWizard#Deployments lists meta, testwiki, enwiki, nowikimedia, and wikidata as the places where it is currently deployed, but it looks like there are slight differences in the code they are running. If you have the details of the changes you want made for each, I have the permissions to update the code on meta, testwiki, and nowikimedia, and I can subscribe a few wikidata interface admins to ask them. Or, perhaps have a global interface editor or steward handle it so that they are all updated at the same time

MrStradivarius added a comment.Jan 4 2022, 12:44 AM

Hm, it might be best if I ask for global interface admin permissions - then I can just update them all myself. I had those permissions previously for a multi-wiki maintenance task, so hopefully I will be able to get them again.

Urbanecm subscribed.Jan 4 2022, 5:47 PM

If a diff and a list of pages to fix can be provided, me or other GIE with security access can apply it w/o issues. Or, we can also wait until Jan 9.

MrStradivarius added a comment.EditedJan 5 2022, 3:12 PM

@Urbanecm I made patches for each of the listed wikis. If you could apply them, it would be much appreciated.

T298481-enwiki.patch1 KBDownload

https://en.wikipedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

T298481-meta.patch1 KBDownload

https://meta.wikimedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

T298481-test.patch1 KBDownload

https://test.wikipedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

T298481-nowikimedia.patch1 KBDownload

https://no.wikimedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

T298481-wikidata.patch1 KBDownload

https://www.wikidata.org/wiki/MediaWiki:Gadget-formWizard-core.js

Most of these patches are different, but the patch for the test wiki is actually identical to the patch for enwiki. Also, it turns out that meta and wikidata aren't actually vulnerable, as they use jQuery.get instead of jQuery.getScript to load the URL. The configFullPath variable should still be escaped on those wikis too, however, as an attacker could still load their own FormWizard config.

Urbanecm added a comment.Jan 5 2022, 3:39 PM
In T298481#7598764, @MrStradivarius wrote:

@Urbanecm I made patches for each of the listed wikis. If you could apply them, it would be much appreciated.

T298481-enwiki.patch1 KBDownload

https://en.wikipedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

Done.

T298481-meta.patch1 KBDownload

https://meta.wikimedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

Done.

T298481-test.patch1 KBDownload

https://test.wikipedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

Done.

T298481-nowikimedia.patch1 KBDownload

https://no.wikimedia.org/wiki/MediaWiki:Gadget-formWizard-core.js

Done.

T298481-wikidata.patch1 KBDownload

https://www.wikidata.org/wiki/MediaWiki:Gadget-formWizard-core.js

Done.

Most of these patches are different, but the patch for the test wiki is actually identical to the patch for enwiki. Also, it turns out that meta and wikidata aren't actually vulnerable, as they use jQuery.get instead of jQuery.getScript to load the URL. The configFullPath variable should still be escaped on those wikis too, however, as an attacker could still load their own FormWizard config.

I think I applied all of them correctly -- can you check that please?

MrStradivarius added a comment.Jan 6 2022, 12:31 AM

I think I applied all of them correctly -- can you check that please?

@Urbanecm Yes, they all look good to me! Thank you for fixing them. I think we can call this issue closed now.

MrStradivarius closed this task as Resolved.Jan 6 2022, 12:32 AM
sbassett reopened this task as Open.Jan 6 2022, 9:09 PM
sbassett subscribed.

Looks like there's at least a couple more on production wikis, based upon this naive search:

https://global-search.toolforge.org/?q=formsGadget&namespaces=8&title=%28.*%5C.js%29

So the ones that still require mitigation would be:

  1. be.wikimedia
  2. gom.wikipedia
  3. lv.wikipedia
  4. www.mediawiki
  5. ms.wikipedia
  6. simple.wiktionary
  7. ur.wikipedia
  8. ar.wikipedia

According to the relevant Special:GadgetUsage pages, formWizard is used by 174 users on mw.org and is a default gadget on bewiki, gomwiki, mswiki and simplewiktionary. It doesn't currently appear enabled by anyone on lvwiki, urwiki or arwiki, though I'm not sure it's the best idea to just let those sit indefinitely, unpatched.

MrStradivarius added a comment.Jan 7 2022, 11:05 PM

@Urbanecm I've made patches for the instances that @sbassett found. Could you apply these as well?

be.wikimedia

T298481-bewikimedia.patch1 KBDownload

gom.wikipedia

T298481-gomwiki.patch1 KBDownload

lv.wikipedia

T298481-lvwiki.patch1 KBDownload

www.mediawiki

T298481-mediawiki.patch1 KBDownload

ms.wikipedia

T298481-mswiki.patch1 KBDownload

simple.wiktionary

T298481-simplewikt.patch1 KBDownload

ur.wikipedia

T298481-urwiki.patch1 KBDownload

ar.wikipedia

T298481-arwiki.patch1 KBDownload

Urbanecm added a comment.Jan 8 2022, 6:41 PM
In T298481#7606567, @MrStradivarius wrote:

@Urbanecm I've made patches for the instances that @sbassett found. Could you apply these as well?

Deployed. Thanks for the patches. Can you check all is OK now? CC @sbassett too.

MrStradivarius added a comment.Jan 9 2022, 2:56 AM

@Urbanecm Yes, those all look good to me. Thank you!

MrStradivarius added a comment.Jan 9 2022, 3:05 AM

I had a look with the global search tool and couldn't find any more instances, so I think we're now actually safe to close this issue. Feel free to reopen if you find any others.

MrStradivarius closed this task as Resolved.Jan 9 2022, 3:06 AM
sbassett assigned this task to Urbanecm.Jan 10 2022, 4:19 PM

Looks good. Thanks for the patches and deploys, @MrStradivarius and @Urbanecm. I'll make this public now.

Restricted Application added a project: User-Urbanecm. · View Herald TranscriptJan 10 2022, 4:19 PM
sbassett triaged this task as Low priority.Jan 10 2022, 4:20 PM
sbassett added a project: Vuln-XSS.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL