Page MenuHomePhabricator
Create Task
Maniphest T331192

CVE-2023-29135: CheckUser 'get users' form vulnerable to HTML injection through usernames
Closed, ResolvedPublicSecurity
Actions

Description

Steps to replicate the issue (include links if applicable):

Original steps
In CU get users tab I selected the checkboxes for accounts named Aée"a"zaEFZgrtsgewr, Aée"a"zaEFZ and Aée"a"za among others, entered a reason for blocking them and hit the block button.

Steps for the larger issue behind this

  • Register an account with the username Test" onclick="alert('test');"
  • Log into an account that can access CheckUser
  • Run 'Get IP Addresses' on the account created in step 1
  • Click on an IP shown in the results
  • Run 'Get users' on that IP
  • Click the checkbox for the user created in step 1

What happens?:

Original
The three named accounts were not blocked, the other accounts without accentuated letters were successfully blocked.

For the wider issue
An alert box is displayed showing that HTML injection can occur, including JS injection.

What should have happened instead?:

Original
All selected accounts should've been blocked.

For the wider issue
The username should have been properly escaped.

Software version (skip for WMF-hosted wikis like Wikipedia):

WMF Production. Meta-Wiki.

Also on a localhost testing wiki

Other information (browser name/version, screenshots, etc.):

I've manually blocked the accounts myself.

Selecting them to use Special:MultiLock breaks too. I suspect this is the quotes " in their usernames.

Details

SubjectRepoBranchLines +/-
SECURITY: Escape HTML in the user text for the checkbox in get usersmediawiki/extensions/CheckUserREL1_40+1 -1
SECURITY: Escape HTML in the user text for the checkbox in get usersmediawiki/extensions/CheckUsermaster+1 -1
SECURITY: Escape HTML in the user text for the checkbox in get usersmediawiki/extensions/CheckUserREL1_39+1 -1
Customize query in gerrit

Related Objects

Event Timeline

MarcoAurelio created this task.Mar 4 2023, 11:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 4 2023, 11:06 AM
MarcoAurelio renamed this task from CheckUser did not block a selected account to CheckUser did not block some selected accounts.Mar 4 2023, 11:07 AM
MarcoAurelio updated the task description. (Show Details)
MarcoAurelio updated the task description. (Show Details)Mar 4 2023, 3:53 PM
Dreamy_Jazz triaged this task as High priority.EditedMar 15 2023, 7:23 PM
Dreamy_Jazz subscribed.

Found the cause. The mustache template did not HTML escape the username which means " characters causes the defined username to be ended early. This means the CheckUser form tried to block User:Aée.

Triaging as High due to the risk of unintentional blocking of unrelated accounts.

Dreamy_Jazz added a comment.EditedMar 15 2023, 7:32 PM

This should not allow any injection attacks because the ">" character is not defined as an allowed character to be in a username. This means that ending the input tag to start a new one (which injects HTML) would not be possible. However, this fix should be backported to release 1.39.

Dreamy_Jazz raised the priority of this task from High to Needs Triage.Mar 15 2023, 7:33 PM
Dreamy_Jazz set Security to Software security bug.
Dreamy_Jazz added projects: Security, Security-Team.
Dreamy_Jazz changed the visibility from "Public (No Login Required)" to "Custom Policy".
Dreamy_Jazz changed the subtype of this task from "Bug Report" to "Security Issue".

Actually I think this is an issue because it could allow the insertion of other attributes to the input tag.

Dreamy_Jazz added a project: Vuln-Inject.Mar 15 2023, 7:33 PM
Dreamy_Jazz added a comment.Mar 15 2023, 7:40 PM

Example HTML injection with the onclick handler:

image.png (807×1 px, 160 KB)

Dreamy_Jazz added a project: Patch-For-Review.Mar 15 2023, 7:42 PM

Proposed patch:

T331192.patch1 KBDownload

Dreamy_Jazz renamed this task from CheckUser did not block some selected accounts to CheckUser 'get users' form vulnerable to HTML injection.Mar 15 2023, 7:42 PM
Dreamy_Jazz triaged this task as High priority.
Dreamy_Jazz renamed this task from CheckUser 'get users' form vulnerable to HTML injection to CheckUser 'get users' form vulnerable to HTML injection through usernames.Mar 15 2023, 7:47 PM
Dreamy_Jazz updated the task description. (Show Details)
hashar awarded a token.Mar 15 2023, 7:57 PM
brennen subscribed.Mar 15 2023, 7:58 PM
Dreamy_Jazz added a comment.Mar 15 2023, 8:05 PM

After the patch above:

image.png (101×756 px, 7 KB)

taavi subscribed.EditedMar 15 2023, 8:11 PM
In T331192#8699584, @Dreamy_Jazz wrote:

Proposed patch:

T331192.patch1 KBDownload

Deployed.

Dreamy_Jazz moved this task from General / Unsorted to CheckUser on the CheckUser board.Mar 15 2023, 8:35 PM
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Mar 16 2023, 2:40 PM
sbassett subscribed.Mar 16 2023, 2:53 PM

Thanks for the quick fix and deploy, @Dreamy_Jazz and @taavi.

sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 20 2023, 4:25 PM
sbassett edited projects, added SecTeam-Processed, Vuln-XSS; removed Patch-For-Review.
Zabe subscribed.Mar 22 2023, 12:12 AM
Mstyles renamed this task from CheckUser 'get users' form vulnerable to HTML injection through usernames to CVE-2023-29135: CheckUser 'get users' form vulnerable to HTML injection through usernames.Apr 4 2023, 4:19 AM
Mstyles added a subscriber: GerritBot.Apr 4 2023, 4:25 AM
gerritbot added a comment.Apr 4 2023, 4:39 AM

Change 904920 had a related patch set uploaded (by Mstyles; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Escape HTML in the user text for the checkbox in get users

https://gerrit.wikimedia.org/r/904920

gerritbot added a project: Patch-For-Review.Apr 4 2023, 4:39 AM
gerritbot added a comment.Apr 4 2023, 4:41 AM

Change 905267 had a related patch set uploaded (by Mstyles; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] Escape HTML in the user text for the checkbox in get users

https://gerrit.wikimedia.org/r/905267

gerritbot added a comment.Apr 4 2023, 6:58 AM

Change 905267 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Escape HTML in the user text for the checkbox in get users

https://gerrit.wikimedia.org/r/905267

gerritbot added a comment.Apr 4 2023, 7:10 AM

Change 904920 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Escape HTML in the user text for the checkbox in get users

https://gerrit.wikimedia.org/r/904920

Aklapper removed a subscriber: GerritBot.Apr 4 2023, 12:03 PM
Mstyles closed this task as Resolved.Apr 4 2023, 4:16 PM
Mstyles claimed this task.
Dreamy_Jazz added a comment.Apr 4 2023, 4:53 PM

I've also backported this to 1.40.

Mstyles added a comment.Apr 4 2023, 5:02 PM

thanks @Dreamy_Jazz

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 4 2023, 7:08 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).May 15 2023, 8:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits