Page MenuHomePhabricator
Create Task
Maniphest T340200

CVE-2023-45365: i18n XSS in Citoid Wikibase module
Closed, ResolvedPublicSecurity
Actions

Description

NOTE: The affected feature is enabled on Test Wikidata in the production cluster, as well as on Beta Wikidata (but not on production real Wikidata). Only interface admins On Test Wikidata, admins, interface admins and Wikidata staff have the right to edit the relevant messages. (Interface admins can edit common.js anyways, but regular admins can’t.)

If

  • both Citoid and Wikibase are loaded, and
  • $wgWBRepoSettings['enableRefTabs'] is set to true (it’s false by default), and
  • a $wgWBCitoidFullRestbaseURL is configured (e.g. 'https://en.wikipedia.org/api/rest_'),

then the contents of the messages citoid-wb-pendingdialog-message and citoid-wb-pendingdialog-title will be injected into the page HTML by Citoid’s JS when an item is loaded (even if Citoid doesn’t have anything to do yet), without any escaping. If the messages are set to e.g. <script>alert('xss')</script>, either in en.json or in the MediaWiki: namespace, then that alert will fire.

The messages are being used here:

modules/wikibase/wb.CitoidPendingDialog.js
this.waitingPanel = new OO.ui.PanelLayout( { padded: true, expanded: false } );
this.waitingPanel.$element.append( OO.ui.deferMsg( 'citoid-wb-pendingdialog-message' ) );
this.errorPanel = new OO.ui.PanelLayout( { padded: true, expanded: false } );
this.errorPanel.$element.append( OO.ui.deferMsg( 'citoid-wb-pendingdialog-error' ) );

I’m guessing that OO.ui.deferMsg() isn’t supposed to be used like this (though its documentation is pretty sparse imho).

Details

Author Affiliation
Wikimedia Deutschland
SubjectRepoBranchLines +/-
SECURITY: Fix messages in CitoidPendingDialogmediawiki/extensions/CitoidREL1_40+10 -4
SECURITY: Fix messages in CitoidPendingDialogmediawiki/extensions/CitoidREL1_39+10 -4
SECURITY: Fix messages in CitoidPendingDialogmediawiki/extensions/CitoidREL1_35+10 -4
SECURITY: Fix messages in CitoidPendingDialogmediawiki/extensions/Citoidmaster+10 -4
Customize query in gerrit

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.Jun 23 2023, 2:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 23 2023, 2:17 PM
Lucas_Werkmeister_WMDE renamed this task from i18n XSS in Citoid wikibase module to i18n XSS in Citoid Wikibase module.Jun 23 2023, 2:18 PM
Lucas_Werkmeister_WMDE added projects: Wikidata, Citoid.
Lucas_Werkmeister_WMDE added a subscriber: Mvolz.
Lucas_Werkmeister_WMDE mentioned this in T340201: Use custom language code to find i18n XSS issues.Jun 23 2023, 2:26 PM
Lucas_Werkmeister_WMDE added a project: Vuln-XSS.
Lucas_Werkmeister_WMDE updated the task description. (Show Details)Jun 23 2023, 2:29 PM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)
Mvolz added a subscriber: Esanders.Jun 26 2023, 10:02 AM

Tagging in @Esanders as he might have a better sense of how these functions are supposed to be used and/or if there's a better alternative.

Lucas_Werkmeister_WMDE added a comment.Jul 5 2023, 12:57 PM

Proposed patch for review:

0001-SECURITY-Fix-messages-in-CitoidPendingDialog.patch1 KBDownload

I tested it locally and it seems to work as far as I can tell (the message is shown properly, and escaped correctly).

Mstyles moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jul 6 2023, 4:53 PM
Mstyles subscribed.

I'll take a look at this patch and test locally as well. If things look good I can deploy on Monday.

Lucas_Werkmeister_WMDE added a subscriber: Wikidata Dev Team (Sprint-∞).Jul 7 2023, 9:42 AM
Aklapper removed a subscriber: Wikidata Dev Team (Sprint-∞).Jul 10 2023, 2:11 PM
mmartorana changed the task status from Open to In Progress.Jul 10 2023, 3:20 PM
mmartorana triaged this task as Medium priority.
Mstyles added a comment.Jul 10 2023, 10:18 PM
In T340200#8990556, @Lucas_Werkmeister_WMDE wrote:

Proposed patch for review:

0001-SECURITY-Fix-messages-in-CitoidPendingDialog.patch1 KBDownload

I tested it locally and it seems to work as far as I can tell (the message is shown properly, and escaped correctly).

Deployed

Mstyles moved this task from Security Patch To Deploy to Waiting on the Security-Team board.Jul 10 2023, 10:19 PM
Mstyles mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 10 2023, 10:23 PM
sbassett subscribed.Jul 11 2023, 4:14 PM

@Lucas_Werkmeister_WMDE - Are there some quick reproduction steps to test and confirm that this is fixed on https://test.wikidata.org/? Thanks.

Lucas_Werkmeister_WMDE added a comment.Jul 11 2023, 4:17 PM

I don’t think so – without the uselang=xss trick from T340201, you could only reproduce this by making edits in the MediaWiki: namespace, which would potentially make the issue visible to a wider audience. To me it seems better to rely on the local testing of the patch.

Lucas_Werkmeister_WMDE added a comment.Jul 11 2023, 4:18 PM

(I suppose you could, something like, manually edit Citoid’s en.json file on mwdebug1002, rebuild the l10n cache, and then try it out, to avoid leaving traces in the on-wiki history? But that feels very hacky to me.)

sbassett added a comment.Jul 11 2023, 4:19 PM

Ok, if there's no convenient, non-destructive way to test this in production, then I suppose we'll need to rely on the local testing of the patch. Thanks.

mmartorana added a project: SecTeam-Processed.Jul 17 2023, 2:57 PM
sbassett moved this task from Waiting to Watching on the Security-Team board.Jul 17 2023, 4:08 PM
hashar subscribed.Oct 9 2023, 12:59 PM

The patch has been released by @Mstyles via https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Citoid/+/962047/ (+ release branches). I guess this task can now be marked resolved?

Lucas_Werkmeister_WMDE added a comment.Oct 9 2023, 1:10 PM

I assume so, but I’d leave that up to the security team.

mmartorana closed this task as Resolved.Oct 10 2023, 4:26 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett added a comment.Oct 10 2023, 4:28 PM

Yes, it can be made public soon. We've been waiting on Mitre to get us the CVEs for the next supplemental security release (T340874) (where this issue is included) and we just got those at the end of last week. So the supplemental security release should come out today or tomorrow.

mmartorana renamed this task from i18n XSS in Citoid Wikibase module to CVE-2023-45365: i18n XSS in Citoid Wikibase module.Oct 10 2023, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL