Page MenuHomePhabricator
Create Task
Maniphest T312733

WikiForum is Vulnerable to CSRF and XSS Attacks
Closed, ResolvedPublicSecurity
Actions

Description

WikiForum lacks anti-CSRF mechanism and is thus vulnerable to CSRF attacks. Creating categories, forums, threads, and replies are the specific functions affected. Category names, forum names, and descriptions are also not escaped and can therefore be exploited to inject maliciously crafted inputs due to the CSRF vulnerability.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
[SECURITY] Version 2.7.0 -- fix a whole bunch of CSRF and stored XSS issuesmediawiki/extensions/WikiForummaster+754 -93
Customize query in gerrit

Related Objects

Event Timeline

Redmin created this task.Jul 10 2022, 5:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2022, 5:04 PM
Redmin added a project: Vuln-CSRF.Jul 10 2022, 5:06 PM
Redmin added subscribers: ashley, UltrasonicNXT.
Aklapper added a project: WikiForum.Jul 10 2022, 6:52 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jul 11 2022, 8:58 PM
sbassett changed Risk Rating from N/A to Medium.
ashley added a subscriber: Universal_Omega.Sep 13 2022, 7:58 PM

cc @Universal_Omega for input

I took a quick look at tackling this with pretty much the most basic way possible. Some quick notes based on today's experiments:

  • forumadmin-only "sort forum up/down" feature needs to be implemented differently, it's now just a GET request so it needs to have a <form> that POSTs for no-JS users and for JS users, an API module + appropriate amount of AJAX is in order
  • ditto for the "make thread sticky"/"remove thread stickiness" feature
  • somehow I seem to have broken the "submit a new topic" -> "immediately after submitting submit a reply using the form" feature while trying to tackle this bug
  • gosh, it's 2022, almost 2023, and WF still lacks a preview button?! Darn. Even MediaWiki-extensions-Comments has one these days...

Attached is my WIP patch.

CSRF.patch13 KBDownload

Universal_Omega added a subscriber: Reception123.Sep 17 2022, 7:38 AM
sbassett added a subscriber: RhinosF1.Sep 19 2022, 6:24 PM
sbassett mentioned this in T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).Sep 19 2022, 8:15 PM
sbassett mentioned this in T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).Oct 6 2022, 4:28 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 12 2023, 8:22 PM
Universal_Omega added a subscriber: Paladox.Jan 15 2023, 5:56 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
Redmin renamed this task from WikiForum is Vulnerable to CSRF Attacks to WikiForum is Vulnerable to CSRF and XSS Attacks.Apr 26 2023, 12:20 PM
Redmin added a project: Vuln-XSS.
Redmin added a comment.Apr 26 2023, 12:29 PM

@ashley, if it helps then maybe XSS and CSRF for the functionalities using PHP could be patched first? Please let me know if I can help in any way.

ashley added subscribers: RhinosF1, OriginalAuthority.Jun 14 2023, 3:35 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
RhinosF1 merged a task: Restricted Task.Jan 7 2024, 2:36 PM
RhinosF1 added subscribers: SFedia, sbassett.
RhinosF1 added a subscriber: AllUsernamesArePicked.May 9 2024, 7:59 PM

+Alex - Miraheze Software Engineer wanting to consider caring about WikiForum

RhinosF1 added a project: affects-Miraheze.May 9 2024, 7:59 PM
ashley added a comment.Sep 9 2024, 8:43 AM

Here's a patch I did back in late May to work towards fixing any and all issues reported here, in case if someone wants to give it a go.

(NB: It took me all too long to realize a bunch of XSS issues were also merged into this ticket, which I started as a CSRF ticket. IMO that should've been kept as a separate thing, since, well, they are separate issues, even if both are a type of security vulnerability.)

Anyway, the patch sacrifices some administrative functionality for no-JS users in favor of fixing the CSRF issues by using AJAX and the new API modules. I don't love it but it's an acceptable trade-off, because relatively few people have JS turned off in general and most of the functionality is still there even for no-JS users, it's just some very specific, advanced administrative tasks which defiintely aren't daily things which no longer can be done with JS off.

I haven't really played too much with this since late May or early June probably, and while I think I did manage to squish all the bugs, another set of eyes sure wouldn't hurt for the patch is literally over 1600 lines long...

T312733.patch63 KBDownload

sbassett added a subscriber: gerritbot.Sep 9 2024, 9:18 PM
gerritbot added a comment.Jan 6 2025, 7:29 AM

Change #1108384 had a related patch set uploaded (by Jack Phoenix; author: Jack Phoenix):

[mediawiki/extensions/WikiForum@master] [SECURITY] Version 2.7.0 -- fix a whole bunch of CSRF and stored XSS issues

https://gerrit.wikimedia.org/r/1108384

gerritbot added a project: Patch-For-Review.Jan 6 2025, 7:29 AM
gerritbot added a comment.Jan 6 2025, 7:49 AM

Change #1108384 merged by jenkins-bot:

[mediawiki/extensions/WikiForum@master] [SECURITY] Version 2.7.0 -- fix a whole bunch of CSRF and stored XSS issues

https://gerrit.wikimedia.org/r/1108384

ashley closed this task as Resolved.Jan 6 2025, 7:49 AM
ashley claimed this task.
ashley removed a project: Patch-For-Review.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 6 2025, 7:50 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot added a project: Social-Tools.Jan 6 2025, 8:29 AM
Yaron_Koren awarded a token.Jan 6 2025, 8:08 PM
ashley mentioned this in T384156: Admin Permissions - Clicking "delete" doesn't ask for confirmation..Jan 21 2025, 2:11 PM
Redmin mentioned this in T415379: Request to add Redmin to Security Team's Hall of Fame.Jan 23 2026, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits