Page MenuHomePhabricator
Create Task
Maniphest T331065

CVE-2023-37254: Extension:Cargo XSS in Special:CargoQuery using default format
Closed, ResolvedPublicSecurity
Actions

Description

Steps to reproduce:

Make a template Template:TextXSS:

<noinclude>{{#cargo_declare: _table=TestXSS
|field1=String (mandatory)
}}
</noinclude><includeonly>

Field1 is {{{field1}}}

{{#cargo_store: _table=TestXSS
|field1={{{field1}}}
}}
</includeonly>

And create the table.

Make a page Item:

{{TestXSS|field1=<script>alert(1)</script>}}

Go to Special:CargoQuery. Put table as TestXSS, field as TestXSS.field1. Keep format as (default). Hit submit, notice the popup box

Details

Author Affiliation
Other (Please specify in description)

Related Objects

Event Timeline

Bawolff created this task.Mar 2 2023, 9:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2023, 9:21 PM
Bawolff added a project: MediaWiki-extensions-Cargo.Mar 2 2023, 9:22 PM
Yaron_Koren added a comment.Mar 6 2023, 3:57 PM

Fixed here, I think: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666

Yaron_Koren added a comment.Mar 6 2023, 3:58 PM

(And thanks for letting me know about this problem!)

Bawolff added a comment.Mar 6 2023, 5:24 PM

I tested the fix, and can confirm that it seems to fix the issue.

I filed T331311 for a second thing i noticed while looking at the code.

Aklapper added a project: Vuln-XSS.Mar 6 2023, 8:55 PM
Yaron_Koren closed this task as Resolved.Mar 6 2023, 9:06 PM
Yaron_Koren claimed this task.
Grunny added a subscriber: TK-999.Mar 7 2023, 9:35 PM
Bawolff added a comment.Apr 5 2023, 11:38 AM

[Making public since resolved]

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 5 2023, 11:38 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 5 2023, 2:35 PM
mmartorana renamed this task from Extension:Cargo XSS in Special:CargoQuery using default format to CVE-2023-37254: Extension:Cargo XSS in Special:CargoQuery using default format.Jun 30 2023, 5:56 PM
Mstyles moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 30 2023, 5:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits