Page MenuHomePhabricator
Create Task
Maniphest T299855

XTools ArticleInfo gadget should not execute WMCS HTML
Open, LowestPublicSecurity
Actions

Description

The XTools ArticleInfo (aka Page History) gadget for displaying results on the wiki inserts HTML received from XTools into the page without any kind of precaution. This is an XSS vector if XTools is taken over. Wikimedia Cloud is a lower-security environment which should be treated as untrusted.

The tool should return some kind of semi-structured data that's turned into HTML by the gadget. Maybe it could return wikitext, and the gadget could use message parsing. Or it could just return a plaintext message with replacement tokens, plus the URLs + link text, and have the gadget piece the content together.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

Tgr created this task.Jan 23 2022, 9:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 23 2022, 9:29 AM
Tgr added a project: XTools.Jan 23 2022, 9:31 AM

Probably not a security issue, just hardening. I'll file as such anyway since changing things in the other direction is harder, and leave it to the Security team to remove the access restrictions if they agree.

sbassett subscribed.Jan 24 2022, 10:04 PM
@Tgr wrote:

This is an XSS vector if XTools is taken over. Wikimedia Cloud is a lower-security environment which should be treated as untrusted.
...
Probably not a security issue, just hardening. I'll file as such anyway since changing things in the other direction is harder, and leave it to the Security team to remove the access restrictions if they agree.

Agreed re: hardening. Since there is no demonstrated, active vulnerability at this time, and any exploit would require some kind of takeover or compromise of the XTools tool, this issue can be make public and a solution pushed through gerrit.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 24 2022, 10:05 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett changed Risk Rating from Medium to Low.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
MusikAnimal triaged this task as Lowest priority.Jan 24 2022, 10:35 PM
MusikAnimal moved this task from Backlog to Page History on the XTools board.
MusikAnimal subscribed.

The structured data part already exits. Just request JSON (default) instead of HTML, for example https://xtools.wmflabs.org/api/page/articleinfo/en.wikipedia.org/Hanksy

If someone wants to write a script to turn this into HTML clientside, please feel free and I'm happy to review and update mw:XTools/ArticleInfo.js accordingly. Or I'll do it when I find the time :)

XTools is an official product from a WMF team. A hostile takeover is possible (it is for production, too) but we're not worried about it.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits