I have found a cross-site scripting issue in enwiki's script-installer gadget. By injecting JavaScript syntax into the page name used by the gadget, you can trick users into installing that code on their common.js pages.
Steps to reproduce:
- Log in to enwiki and enable the script-installer gadget in your preferences (the description says "Install scripts without having to manually edit JavaScript files").
- Save the following wikitext to a non-mainspace page. (Note: I did this on a private Mediawiki instance so as not to alert others to the vulnerability. Also, only the final span is strictly necessary - the rest is just to make it look more convincing.)
[[User:Anomie/linkclassifier]] ([[User:Anomie/linkclassifier.js|source]]) <span id="User:Anomie/linkclassifier.js');alert('XSS" class="scriptInstallerLink"></span>
- The gadget will display an "Install" link in the span element you added. Click it.
- A security notice is displayed with the wording "Warning! Do you trust User:Anomie?" Click OK.
The page will reload, and in addition to the linkclassifier script being installed, an alert will pop up with the text "XSS". On checking your common.js page, you will find the following code has been added:
importScript('User:Anomie/linkclassifier.js');alert('XSS'); // Backlink: [[User:Anomie/linkclassifier.js');alert('XSS]]
This is a security issue, as the only JavaScript the victim expects to be added to their common.js page is JavaScript authored by the user displayed in the warning message. However, the lack of escaping means that an attacker could add their own malicious JavaScript to the user's common.js in addition to JavaScript authored by the expected user.
The relevant code is on line 145 of the gadget:
case 0: return dis + "importScript('" + this.page + "'); // Backlink: [[" + this.page + "]]";
Single quotes and backslashes should be escaped in the page name to prevent the injection attack. (Also, the URLs in the switch statement also look like they need escaping, although I have not tested to confirm if they are vulnerable as well.)
This is tested in Firefox 96.0.