Page MenuHomePhabricator
Create Task
Maniphest T333569

CVE-2023-37255: Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string
Closed, ResolvedPublicSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Mar 30 2023, 2:43 PM
Tags
Referenced Files
F36934361: 0001-SECURITY-Escape-user-agent-before-showing-in-Special.patch
Mar 30 2023, 2:59 PM
F36934360: T333569.patch
Mar 30 2023, 2:54 PM
F36934359: T333569.patch
Mar 30 2023, 2:49 PM
F36934356: image.png
Mar 30 2023, 2:43 PM
F36934353: image.png
Mar 30 2023, 2:43 PM
Subscribers
Aklapper
Dreamy_Jazz
gerritbot
Lucas_Werkmeister_WMDE
Reedy
sbassett
taavi

Description

Steps to reproduce

  • Modify your user agent to include HTML
  • Make a test edit or logged action
  • Load Special:CheckUser
  • Run a check using the 'get edits' type
  • Notice that the HTML isn't escaped

Example
Override your user agent string (example using Firefox about:config):

image.png (101×2 px, 13 KB)

Inspecting the logged edit using inspect element:
image.png (107×560 px, 6 KB)

Other information
The user agent is truncated before insertion into the database at 255 bytes which could make it harder to abuse. Only occurs when running the 'get edits' check type.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Escape user-agent in SpecialCheckUser get edits modemediawiki/extensions/CheckUsermaster+1 -1
SECURITY: Escape user-agent in SpecialCheckUser get edits modemediawiki/extensions/CheckUserREL1_40+1 -1
SECURITY: Escape user-agent in SpecialCheckUser get edits modemediawiki/extensions/CheckUserREL1_39+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Mar 30 2023, 2:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 30 2023, 2:43 PM
Dreamy_Jazz renamed this task from Special:CheckUser vulnerable to HTML injection through user agent string to Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.Mar 30 2023, 2:44 PM
Dreamy_Jazz added projects: CheckUser, Patch-For-Review.Mar 30 2023, 2:49 PM

Proposed patch:

T333569.patch1 KBDownload

Dreamy_Jazz updated the task description. (Show Details)Mar 30 2023, 2:50 PM
taavi subscribed.Mar 30 2023, 2:52 PM
In T333569#8742158, @Dreamy_Jazz wrote:

Proposed patch:

T333569.patch1 KBDownload

Please add a SECURITY: prefix to the commit message.

Dreamy_Jazz added a comment.EditedMar 30 2023, 2:54 PM
In T333569#8742167, @taavi wrote:
In T333569#8742158, @Dreamy_Jazz wrote:

Proposed patch:

T333569.patch1 KBDownload

Please add a SECURITY: prefix to the commit message.

Done. Updated patch provided below:

T333569.patch1 KBDownload

Dreamy_Jazz updated the task description. (Show Details)Mar 30 2023, 2:56 PM
Lucas_Werkmeister_WMDE subscribed.Mar 30 2023, 2:58 PM

Added prefix, will deploy now. I was able to reproduce the issue and test the fix locally.

0001-SECURITY-Escape-user-agent-before-showing-in-Special.patch1 KBDownload

Lucas_Werkmeister_WMDE added a comment.Mar 30 2023, 3:00 PM

Scratch that, I’ll use the updated patch from @Dreamy_Jazz instead :)

Lucas_Werkmeister_WMDE added a subscriber: Reedy.Mar 30 2023, 3:08 PM

@Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Dreamy_Jazz added a comment.Mar 30 2023, 3:11 PM

This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Lucas_Werkmeister_WMDE added a comment.Mar 30 2023, 3:13 PM
In T333569#8742285, @Dreamy_Jazz wrote:

This fix needs backporting to 1.39 and 1.40. 1.38 and before doesn't seem to have this problem.

Agreed, I just checked the same thing. (The bug was introduced in 6d6b229c02, the old code was using htmlspecialchars( $row->cuc_agent ) and thus safe.)

Lucas_Werkmeister_WMDE added a comment.Mar 30 2023, 3:17 PM

The fix should be deployed on wmf.1 and wmf.2 now. (I used deploy_security.py.)

Dreamy_Jazz added a comment.EditedMar 30 2023, 3:22 PM

Can verify this deployed correctly.

Was able to verify without the need to spoof my user agent to include HTML as there is separate bug with the template parser that makes the user agent not display if there is a specific character (which is how I found this issue) when the value is escaped. That issue is rare (only seen it once) and isn't a security issue. Will be looking for the associated task and if not filing one.

Lucas_Werkmeister_WMDE mentioned this in T333572: deploy_security.py should check if user.name and user.email git configs are set.Mar 30 2023, 3:26 PM
Dreamy_Jazz removed a project: Patch-For-Review.Mar 30 2023, 4:10 PM
sbassett subscribed.Mar 30 2023, 5:49 PM

Thanks all for the quick patch and deploy.

In T333569#8742274, @Lucas_Werkmeister_WMDE wrote:

@Reedy I wonder if we can include this in the security release that you pre-announced yesterday? Or is this too short notice? (Security deployment is currently ongoing, btw.)

Since CheckUser isn't bundled with core, it would go out as part of a supplemental security releases (current tracking bug: T325849). I don't know if I'd agree there's any sense of urgency here - anything within the supplemental release can be made public and have backports performed once the issue has been patched in Wikimedia production. So this issue could be a part of the next supplemental security release, but be disclosed and backported much sooner.

Dreamy_Jazz moved this task from General / Unsorted to CheckUser on the CheckUser board.Mar 31 2023, 1:46 PM
Dreamy_Jazz added a project: Vuln-XSS.
sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 31 2023, 4:26 PM
sbassett added a project: SecTeam-Processed.
Dreamy_Jazz added a comment.EditedApr 4 2023, 7:21 PM
In T333569#8742962, @sbassett wrote:

So this issue could be a part of the next supplemental security release, but be disclosed and backported much sooner.

Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

A useful side effect of getting this fix out is that it makes fixing a non-security bug easier as this method of escaping seems to prevent some unicode characters being displayed (see T333573). The temporary fix (unless I can find the core issue) would be to use htmlspecialchars to escape the value. This method would conflict with the currently deployed security patch.

sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 8:03 PM
sbassett added a subscriber: gerritbot.
In T333569#8756232, @Dreamy_Jazz wrote:

Considering that users of the release branches will be pulling the changes soon, getting this merged into the release branches before the git pull is run makes sense to me. Therefore, given that this seems to be an okay thing once it's fixed in WMF production (which it has been), I'll do as such now.

That's fine - I've got it tracked for the next supplemental release: T333626. Completely fine to open this up and do backports now.

sbassett changed the task status from Open to In Progress.Apr 4 2023, 8:05 PM
sbassett triaged this task as Medium priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
gerritbot added a comment.Apr 4 2023, 9:15 PM

Change 905733 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Escape user-agent in SpecialCheckUser get edits mode

https://gerrit.wikimedia.org/r/905733

gerritbot added a project: Patch-For-Review.Apr 4 2023, 9:15 PM

Change 905734 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Escape user-agent in SpecialCheckUser get edits mode

https://gerrit.wikimedia.org/r/905734

gerritbot added a comment.Apr 4 2023, 9:23 PM

Change 905734 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Escape user-agent in SpecialCheckUser get edits mode

https://gerrit.wikimedia.org/r/905734

gerritbot added a comment.Apr 4 2023, 9:23 PM

Change 905733 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Escape user-agent in SpecialCheckUser get edits mode

https://gerrit.wikimedia.org/r/905733

gerritbot added a comment.Apr 4 2023, 10:01 PM

Change 905706 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Escape user-agent in SpecialCheckUser get edits mode

https://gerrit.wikimedia.org/r/905706

Dreamy_Jazz claimed this task.Apr 4 2023, 10:03 PM

Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.4; 2023-04-10).Apr 5 2023, 1:00 AM
sbassett closed this task as Resolved.Apr 5 2023, 2:45 PM
In T333569#8757048, @Dreamy_Jazz wrote:

Unsure what else might need to be done before this can be marked as resolved (i.e. removing the patch on WMF systems), but the fix has been merged and backported to all supported versions that were vulnerable.

We track Wikimedia production patches on another task and Release Engineering has a step in the train that detects when such patches should fall off. So I think this can be resolved for now.

mmartorana renamed this task from Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string to CVE-2023-37255: Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.Jun 30 2023, 5:54 PM
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 30 2023, 6:01 PM
Dreamy_Jazz mentioned this in T356190: CVE-2024-34503: ReportIncident REST API does not use a CSRF token.Jan 31 2024, 12:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits