Page MenuHomePhabricator
Create Task
Maniphest T308473

CVE-2022-34912: Username not escaped in the contributions-title message
Closed, ResolvedPublicSecurity
Actions

Description

The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, if a username contains HTML entities (not possible by default, T308465), it won't be escaped.

Details

Risk Rating
Low
Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
SECURITY: Escape contributions-title msg for use within page titlemediawiki/coreREL1_38+2 -2
SECURITY: Escape contributions-title msg for use within page titlemediawiki/coreREL1_37+2 -2
SECURITY: Escape contributions-title msg for use within page titlemediawiki/coremaster+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.May 16 2022, 5:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2022, 5:53 PM
Daimona added a project: Vuln-XSS.May 16 2022, 5:53 PM
Daimona added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).
Mstyles changed Risk Rating from N/A to High.Jun 3 2022, 11:13 PM
Mstyles subscribed.Jun 3 2022, 11:25 PM

@Daimona will you be able to create a patch to escape the HTML? For guidance please check out steps 2, 3, and 4 in the mediawiki documentation

Reedy added a project: MediaWiki-Logevents.Jun 6 2022, 4:14 PM
sbassett subscribed.Jun 6 2022, 9:21 PM

Untested patch that should fix this issue, unless it garbles usernames in some way. But it shouldn't. This is likely low risk enough to just go through gerrit, as similar patches have before (T2212).

01-T308473.patch1 KBDownload

sbassett added projects: SecTeam-Processed, Patch-For-Review.Jun 6 2022, 9:22 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett triaged this task as Low priority.Jun 7 2022, 2:32 AM
sbassett mentioned this in T308471: CVE-2022-34911: Username is not escaped in the "welcomeuser" message.
sbassett changed Author Affiliation from N/A to WMF Product.
sbassett changed Risk Rating from High to Low.
sbassett added a subscriber: gerritbot.Jun 21 2022, 9:32 PM
gerritbot added a comment.Jun 21 2022, 9:32 PM

Change 807225 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@master] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807225

gerritbot added a comment.Jun 21 2022, 10:32 PM

Change 807225 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807225

gerritbot added a comment.Jun 22 2022, 1:47 AM

Change 807164 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@REL1_38] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807164

gerritbot added a comment.Jun 22 2022, 1:47 AM

Change 807165 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@REL1_37] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807165

gerritbot added a comment.Jun 22 2022, 2:14 AM

Change 807165 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807165

gerritbot added a comment.Jun 22 2022, 2:15 AM

Change 807164 merged by jenkins-bot:

[mediawiki/core@REL1_38] SECURITY: Escape contributions-title msg for use within page title

https://gerrit.wikimedia.org/r/807164

sbassett closed this task as Resolved.Jun 22 2022, 2:35 AM
sbassett claimed this task.
sbassett moved this task from Backlog to Done on the MediaWiki-Logevents board.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
ReleaseTaggerBot added projects: MW-1.37-notes, MW-1.38-notes.Jun 22 2022, 3:00 AM
Reedy added a parent task: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2.Jun 24 2022, 8:55 AM
Reedy mentioned this in T305201: Obtain CVEs for 1.35.7/1.37.3/1.38.2 security releases.Jun 29 2022, 7:21 PM
Reedy removed a project: Patch-For-Review.Jun 29 2022, 7:24 PM
Reedy renamed this task from Username not escaped in the contributions-title message to CVE-2022-34912: Username not escaped in the contributions-title message.Jul 2 2022, 7:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL