Page MenuHomePhabricator
Create Task
Maniphest T323651

CVE-2023-37304: XSS in DoubleWiki extension (Wikisource)
Closed, ResolvedPublicSecurity
Actions

Assigned To
matmarex
Authored By
matmarex
Nov 22 2022, 9:57 PM
Tags
Referenced Files
F36969512: 0004-Use-HtmlHelper-modifyElements-instead-of-regexps-to-.patch
Apr 29 2023, 3:17 PM
F36969478: 0003-Modernize-HTML-output.patch
Apr 29 2023, 3:17 PM
F36969477: 0002-Remove-broken-link-processing-for-the-matched-text.patch
Apr 29 2023, 3:17 PM
F36969476: 0001-SECURITY-Remove-vulnerable-column-alignment-feature.patch
Apr 29 2023, 3:17 PM
F4100931: 0001-SECURITY-XSS-and-cache-pollution-issues-in-DoubleWik.patch
Mar 24 2023, 1:35 AM
File Not Attached
F35814245: image.png
Nov 22 2022, 9:57 PM
Subscribers
Aklapper
Bawolff
Elitre
gerritbot
jenkins-bot
Legoktm
matmarex
View All 10 Subscribers

Description

Steps to reproduce:

  1. Install mediawiki/extensions/DoubleWiki
  2. Create a page with the following content:
hello

<div id="align-fr" style="display:none;"><pre>
hello = hello" onclick="alert('XSS')
</pre></div>

[[fr:test]]
  1. After saving, add ?match=fr to the page URL
  2. Click "hello" on the page

This will pop up a JavaScript dialog.

image.png (2×3 px, 318 KB)

Explanation:

DoubleWiki allows displaying pages on different projects links side-by-side. This works on any page with interwiki links on a wiki where the extension is enabled. Example: https://en.wikisource.org/wiki/Bible_(King_James)/Genesis?match=fr

Optionally their content can be aligned using the <div …><pre> markup described above. Example: https://en.wikisource.org/wiki/Eskimo_Life/Authors_Preface?match=no (see the markup in edit mode: https://en.wikisource.org/w/index.php?title=Eskimo_Life/Authors_Preface&action=edit)

This is implemented using some very indiscriminate regexp replacements, and allows inserting pieces of HTML into places they wasn't supposed to go. This bug is caused by the code in DoubleWiki::addMatchingTags() method.

The code implementing alignment has a lot of regexp and string operations on HTML. I have only reviewed a very small part of it (until I found a bug). There are some ~200 lines of code (methods addMatchingTags(), matchColumns(), findParagraphs(), findSlices()) that all look very risky. The side-by-side rendering itself (getMangledTextAndTranslation()) does some regexp replacements as well, but they look a lot less scary.

(It was brought to my attention after I read T323376#8406975 and tried to figure out what that code does.)

Details

Risk Rating
High
SubjectRepoBranchLines +/-
Use HtmlHelper::modifyElements() instead of regexps to modify linksmediawiki/extensions/DoubleWikimaster+49 -20
Modernize HTML outputmediawiki/extensions/DoubleWikimaster+69 -21
Remove vulnerable column alignment featuremediawiki/extensions/DoubleWikimaster+14 -190
Customize query in gerrit

Related Objects

Event Timeline

matmarex created this task.Nov 22 2022, 9:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 22 2022, 9:57 PM
Reedy added a project: MediaWiki-extensions-DoubleWiki.Nov 22 2022, 10:02 PM
Aklapper added a project: Vuln-XSS.Nov 22 2022, 11:02 PM
Mstyles moved this task from Incoming to In Progress on the Security-Team board.Nov 28 2022, 5:17 PM
matmarex added a comment.Nov 28 2022, 6:08 PM

It seems that manual text alignment is only used in about two dozen of pages across all Wikisources:

So removing the alignment feature (not side-by-side rendering entirely) might be a reasonable mitigation.

Mstyles subscribed.Dec 3 2022, 2:06 AM

@matmarex that does sound like a reasonable mitigation to me. If possible though, it would be nice to keep the feature and disable the javascript popups. Do you think that would be possible from what you have reviewed?

matmarex added a comment.Dec 6 2022, 1:02 AM

No doubt it's possible, but ensuring that there are no bugs is much more work than finding just one bug, so I did not try. Maybe we could put some sanitizer on top of the buggy code instead, but I don't know how that will interact with all other parsing code.

Mstyles added a comment.Dec 20 2022, 6:45 PM

@matmarex sanitizer sounds like the best option

Mstyles added a comment.Jan 30 2023, 9:49 PM

@matmarex following up to see if you had a chance to look into the sanitizer. I don't see any other maintainers for this project who could chime in

Mstyles added a project: Platform Engineering.EditedJan 30 2023, 10:03 PM

also adding platform engineering and @Tpt in case they have some insight on this issue

sbassett added a subscriber: Tpt.Jan 30 2023, 10:30 PM
matmarex added a comment.Jan 30 2023, 11:22 PM

Sorry, I didn't get a chance to work on this.

sbassett subscribed.Jan 31 2023, 5:53 PM

What a solution to this issue likely involves is a bit of a rewrite of any functions within DoubleWiki.php (the vast bulk of this extension's functionality) that manipulate and/or output html, likely the list @matmarex provided within the task description. There are probably a few ways to do this:

  1. Parser->parse() - likely too expensive and overkill for this
  2. Sanitizer::removeSomeTags() - also a bit expensive, but possibly more appropriate
  3. Use HTMLPurifier or similar - a few extensions already use this as a dep (and there's literally an extension just for using it) but nothing that's been reviewed or pushed to Wikimedia production as far as I can tell
  4. Review and rewrite the problematic regular expressions - this seems like a waste of time and effort given the previous options

Anyhow, whatever option is pursued, it seems like some basic unit tests should be a part of that effort, as there currently are none. And I suppose there is one final option, though I'd imagine we'd like to avoid it: un-deploy the extension from Wikimedia production.

Mstyles added a comment.Feb 1 2023, 11:57 PM

@sbassett thanks for looking into this....it seems like the HTMLPurifier is our best bet, but should probably be reviewed before being used on WMF production if I'm reading that correctly. I definitely think undeploying the extension would harm some translation efforts and other popular uses of this extension, so I would only consider that as a last resort.

Mstyles changed Risk Rating from N/A to High.Mar 14 2023, 6:27 PM
Mstyles moved this task from Inbox to Security Issues to Triage on the Platform Engineering board.
Mstyles moved this task from In Progress to Watching on the Security-Team board.
Mstyles added a comment.Mar 23 2023, 2:23 AM

the security team would like to start the process to get this extension undeployed as there has been no movement on fixing this high priority security issue by community members or WMF staff. I'll submit this extension to the code stewardship process, but that has been paused for the moment, so there will probably be no activity there for a while.

Mstyles mentioned this in T332850: Undeploy DoubleWiki Extension from Wikimedia production .Mar 23 2023, 2:37 AM
Mstyles added a project: SecTeam-Processed.Mar 23 2023, 2:39 AM

for reference, the code stewardship request is https://phabricator.wikimedia.org/T332850

matmarex added a subscriber: Bawolff.Mar 23 2023, 3:32 AM
Aklapper added a comment.Mar 23 2023, 7:23 AM
In T323651#8720153, @Mstyles wrote:

as there has been no movement on fixing this high priority security issue by community members or WMF staff.

Community members cannot fix security issues if they don't know about / cannot access security issues...
Which steps have been performed to find WMF staff to look into this?

Mstyles added a comment.Mar 23 2023, 7:42 PM

@Aklapper the platform engineering team has been added along with any maintainers mentioned. I don't think there's any other staff members who could be tagged here

Bawolff added a comment.EditedMar 24 2023, 1:35 AM

The PoC here sounds the same as the one on T131199#2342458 so possibly the never applied patch at F4100931 might help. [have not verified myself. Going solely on the PoC looking sort of similar].

That said, this extension is all sorts of sketch. Disabling is not an unreasonable course of action.

sbassett added a comment.Mar 24 2023, 4:01 PM
In T323651#8720357, @Aklapper wrote:

Community members cannot fix security issues if they don't know about / cannot access security issues...
Which steps have been performed to find WMF staff to look into this?

Sadly, there is only one listed maintainer for this extension, and they were added to this bug in January of this year. And there simply aren't really any other active maintainers of the DoubleWiki extension. And having a look at the recent master log, most commits are from libraryupgrader or l10n-bot, with a handful of coding standard updates, but no significant development or maintenance.

In T323651#8723568, @Bawolff wrote:

The PoC here sounds the same as the one on T131199#2342458 so possibly the never applied patch at F4100931 might help. [have not verified myself. Going solely on the PoC looking sort of similar].

I couldn't reproduce those issues at the time, though my testing may have been flawed. I've had a look at the old patch from that bug/paste and it's definitely a non-trivial review to get it up-to-date. I've been working through it a bit this morning, but a lot of maintenance work has been performed on DoubleWiki_body.php since that patch was first written (including moving it to includes/DoubleWiki.php), so it will probably take me a little while to properly walk through the conflicts and merge it. That being said, if we can get a sane, updated patch out of this, then it's probably worthwhile deploying it to production to see if it addresses most or all of the injection issues present.

That said, this extension is all sorts of sketch. Disabling is not an unreasonable course of action.

Agreed, especially since it apparently has no active maintainers and isn't incredibly widely-deployed.

Mstyles added a comment.Apr 17 2023, 4:22 PM

There's a patch out to disable DoubleWiki extension for now until we have a fix for this XSS.

matmarex added a comment.Apr 28 2023, 11:49 AM

Since we're considering undeploying the extension now, I'd like to again suggest removing just the vulnerable feature (aligning content between languages), which basically no one is using anyway, and keeping the rest. I would work on that if anyone is willing to merge such a patch.

Legoktm subscribed.Apr 28 2023, 2:42 PM
In T323651#8813113, @matmarex wrote:

I would work on that if anyone is willing to merge such a patch.

Sure, happy to review.

sbassett added a comment.Apr 28 2023, 4:18 PM
In T323651#8813472, @Legoktm wrote:
In T323651#8813113, @matmarex wrote:

I would work on that if anyone is willing to merge such a patch.

Sure, happy to review.

This would be a decent temporary solution IMO, but it still doesn't solve the issue of an active maintainer to support future security (and other) bugs for this extension. If that piece cannot be solved within a reasonable timeframe, then I think T332850 is still likely the best path forward.

Mstyles added a subscriber: Elitre.Apr 28 2023, 5:07 PM
matmarex added a project: Patch-For-Review.Apr 29 2023, 3:17 PM

Security patch to remove the feature, plus three hardening patches to clean up the remaining code (not known to be vulnerable) that was doing regexp replacements on HTML or questionable HTML escaping:

0001-SECURITY-Remove-vulnerable-column-alignment-feature.patch8 KBDownload

0002-Remove-broken-link-processing-for-the-matched-text.patch1 KBDownload

0003-Modernize-HTML-output.patch5 KBDownload

0004-Use-HtmlHelper-modifyElements-instead-of-regexps-to-.patch3 KBDownload

I can submit the latter three for review on Gerrit later, or we may review here and apply them as security patches if you'd like.

Mstyles added a comment.May 1 2023, 11:23 PM

@matmarex thank you so much for submitting these patches! is there anyone we can find as a reviewer to ensure we're moving in the right direction?

Mstyles added a comment.May 2 2023, 4:44 PM

@matmarex we would prefer to keep these as patches and not review on Gerrit for security purposes

matmarex added a comment.May 2 2023, 8:35 PM
In T323651#8817770, @Mstyles wrote:

@matmarex thank you so much for submitting these patches! is there anyone we can find as a reviewer to ensure we're moving in the right direction?

I haven't reached out to anyone, other than the folks who subscribed themselves to this task and might be willing. Do you want me to advertise it on the WMF Slack or something?

In T323651#8820970, @Mstyles wrote:

@matmarex we would prefer to keep these as patches and not review on Gerrit for security purposes

Sure, no problem.

Legoktm added a comment.EditedMay 3 2023, 7:57 AM
In T323651#8817770, @Mstyles wrote:

is there anyone we can find as a reviewer to ensure we're moving in the right direction?

Errr, I already volunteered to do the review? (T323651#8813472)

I did a visual review just now, they look fine, will do a bit of testing tomorrow before +2ing.

Mstyles added a comment.May 8 2023, 4:13 PM

@Legoktm did you get a chance to do some testing? this could possibly be deployed today during the security deploy window

sbassett added a comment.May 15 2023, 8:58 PM

CR+2 for the first security patch from T323651#8814793. It should substantially reduce the risk of matchColumns(). There's still some sketchy regexp stuff happening within getMangledTextAndTranslation(), but we don't have any reported issues there, yet. I think we can security-deploy this and see how it goes, while maybe creating a corresponding public bug explaining that the match columns functionality for DoubleWiki will be indefinitely disabled. If the security patch seems stable after a day or two, we can likely push @matmarex' remaining code improvement patches through gerrit.

Mstyles added a comment.May 15 2023, 11:03 PM
In T323651#8814793, @matmarex wrote:

Security patch to remove the feature, plus three hardening patches to clean up the remaining code (not known to be vulnerable) that was doing regexp replacements on HTML or questionable HTML escaping:

0001-SECURITY-Remove-vulnerable-column-alignment-feature.patch8 KBDownload

0002-Remove-broken-link-processing-for-the-matched-text.patch1 KBDownload

0003-Modernize-HTML-output.patch5 KBDownload

0004-Use-HtmlHelper-modifyElements-instead-of-regexps-to-.patch3 KBDownload

I can submit the latter three for review on Gerrit later, or we may review here and apply them as security patches if you'd like.

The Security patch ONLY has been deployed

Mstyles mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).May 15 2023, 11:06 PM
sbassett added a comment.May 16 2023, 2:36 PM
In T323651#8852650, @Mstyles wrote:

The Security patch ONLY has been deployed

Thanks! It would be nice if we could test that the reported payload no longer works in production. While testwiki seems to have ext:DoubleWiki enabled, it does not appear to be working there, which isn't really surprising. I have OS rights on the wikisources with my staff rights, apparently, but I hesitate to edit something like Bible_(King_James)/Genesis there, even if I could be rather quick about testing and then suppressing the edit.

Bawolff added a comment.May 16 2023, 3:28 PM

Seems like it works on test https://test.wikipedia.org/wiki/Main_Page?match=en

sbassett added a comment.May 16 2023, 6:16 PM
In T323651#8855905, @Bawolff wrote:

Seems like it works on test https://test.wikipedia.org/wiki/Main_Page?match=en

Huh, interesting. On some fairly obvious pages (or what I think are fairly obvious) it does not?

https://test.wikipedia.org/wiki/Dog?match=en
https://test.wikipedia.org/wiki/Barack_Obama?match=en

etc.

Anyhow, I tested against Main_page: https://test.wikipedia.org/w/index.php?title=Main_Page&diff=570072&oldid=570071. I think I did that correctly and could not get the XSS payload within the task description to execute when attempting a ?match=en.

Bawolff added a comment.May 16 2023, 7:55 PM

It requires the interlanguage link to be present (i just added one to dog so that works now)

Mstyles added a comment.May 30 2023, 5:06 PM
In T323651#8814793, @matmarex wrote:

Security patch to remove the feature, plus three hardening patches to clean up the remaining code (not known to be vulnerable) that was doing regexp replacements on HTML or questionable HTML escaping:

0001-SECURITY-Remove-vulnerable-column-alignment-feature.patch8 KBDownload

0002-Remove-broken-link-processing-for-the-matched-text.patch1 KBDownload

0003-Modernize-HTML-output.patch5 KBDownload

0004-Use-HtmlHelper-modifyElements-instead-of-regexps-to-.patch3 KBDownload

I can submit the latter three for review on Gerrit later, or we may review here and apply them as security patches if you'd like.

I submitted the second patch to Gerrit, it can be found here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DoubleWiki/+/924136
The last two patches did not apply when I tried. Not sure what happened

Mstyles added a subscriber: jenkins-bot.May 30 2023, 5:07 PM
sbassett added a comment.May 30 2023, 5:51 PM
In T323651#8889596, @Mstyles wrote:

I submitted the second patch to Gerrit, it can be found here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DoubleWiki/+/924136
The last two patches did not apply when I tried. Not sure what happened

The final two patches depend upon the changes made within the security patch. So they'll have to wait to be merged until that patch is publicly released. Which we could do now (since it's already in Wikimedia production: T276237) or wait until the end of the quarter, when it gets mentioned within the next supplemental security release (T333626).

Mstyles added a subscriber: gerritbot.Jun 27 2023, 11:25 PM
gerritbot added a comment.Jun 27 2023, 11:29 PM

Change 932825 had a related patch set uploaded (by Mstyles; author: Bartosz Dziewoński):

[mediawiki/extensions/DoubleWiki@master] Remove vulnerable column alignment feature

https://gerrit.wikimedia.org/r/932825

gerritbot added a comment.Jun 27 2023, 11:30 PM

Change 933666 had a related patch set uploaded (by Mstyles; author: Bartosz Dziewoński):

[mediawiki/extensions/DoubleWiki@master] Modernize HTML output

https://gerrit.wikimedia.org/r/933666

gerritbot added a comment.Jun 27 2023, 11:30 PM

Change 933667 had a related patch set uploaded (by Mstyles; author: Bartosz Dziewoński):

[mediawiki/extensions/DoubleWiki@master] Use HtmlHelper::modifyElements() instead of regexps to modify links

https://gerrit.wikimedia.org/r/933667

gerritbot added a comment.Jun 29 2023, 7:01 PM

Change 932825 merged by jenkins-bot:

[mediawiki/extensions/DoubleWiki@master] Remove vulnerable column alignment feature

https://gerrit.wikimedia.org/r/932825

gerritbot added a comment.Jun 30 2023, 9:35 AM

Change 933666 merged by jenkins-bot:

[mediawiki/extensions/DoubleWiki@master] Modernize HTML output

https://gerrit.wikimedia.org/r/933666

gerritbot added a comment.Jun 30 2023, 9:36 AM

Change 933667 merged by jenkins-bot:

[mediawiki/extensions/DoubleWiki@master] Use HtmlHelper::modifyElements() instead of regexps to modify links

https://gerrit.wikimedia.org/r/933667

Mstyles renamed this task from XSS in DoubleWiki extension (Wikisource) to CVE-2023-37304: XSS in DoubleWiki extension (Wikisource).Jun 30 2023, 5:47 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
matmarex closed this task as Resolved.Jun 30 2023, 7:31 PM
matmarex claimed this task.
matmarex removed a project: Patch-For-Review.
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 30 2023, 7:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL