Page MenuHomePhabricator
Create Task
Maniphest T333980

CVE-2023-37251: GoogleAnalyticsMetrics extension - XSS
Closed, ResolvedPublicSecurity
Actions

Description

#googleanalyticstrackurl parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.

Additionally it does not register external links in the parser (important for antispam).

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Fix escaping in googleAnalyticsTrackUrlmediawiki/extensions/GoogleAnalyticsMetricsmaster+22 -5
SECURITY: Fix escaping in googleAnalyticsTrackUrlmediawiki/extensions/GoogleAnalyticsMetricsREL1_35+21 -4
SECURITY: Fix escaping in googleAnalyticsTrackUrlmediawiki/extensions/GoogleAnalyticsMetricsREL1_38+22 -5
SECURITY: Fix escaping in googleAnalyticsTrackUrlmediawiki/extensions/GoogleAnalyticsMetricsREL1_39+22 -5
SECURITY: Fix escaping in googleAnalyticsTrackUrlmediawiki/extensions/GoogleAnalyticsMetricsREL1_40+22 -5
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Apr 4 2023, 4:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2023, 4:13 PM
Bawolff added a project: MediaWiki-extensions-GoogleAnalyticsMetrics.Apr 4 2023, 4:14 PM

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleAnalyticsMetrics/+/905661

Aklapper added a project: Vuln-XSS.Apr 4 2023, 4:24 PM
Lucas_Werkmeister_WMDE subscribed.Apr 4 2023, 4:37 PM
			return '<strong class="error">' .
				wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() .
				'</strong>';

Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 4 2023, 4:38 PM
sbassett added a subscriber: gerritbot.
Bawolff added a comment.Apr 4 2023, 4:40 PM
In T333980#8755485, @Lucas_Werkmeister_WMDE wrote:
			return '<strong class="error">' .
				wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() .
				'</strong>';

Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?

No, because parser functions (unlike tag extensions) return wikitext if you return a string from them. So the return value is interpreted as being wikitext and does all normal wikitext escaping.

Lucas_Werkmeister_WMDE added a comment.Apr 4 2023, 4:42 PM

I see, thanks.

Bawolff added a subscriber: Mstyles.Apr 4 2023, 4:42 PM

@Mstyles Can this be added to next extension security supplement?

Lucas_Werkmeister_WMDE unsubscribed.Apr 4 2023, 4:55 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 8:34 PM
sbassett subscribed.
In T333980#8755512, @Bawolff wrote:

@Mstyles Can this be added to next extension security supplement?

Yes, added: T333626. Also going to just make this public now.

sbassett closed this task as Resolved.Apr 4 2023, 8:37 PM
sbassett assigned this task to Bawolff.
sbassett triaged this task as Medium priority.
sbassett changed Author Affiliation from Other (Please specify in description) to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Mstyles renamed this task from GoogleAnalyticsMetrics extension - XSS to CVE-2023-37251: GoogleAnalyticsMetrics extension - XSS.Jun 30 2023, 5:47 PM
Mstyles mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Oct 10 2023, 4:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits