The pagetriage-tags-quickfilter-label message in PageTriage triggers a alert() when invoked with ?uselang=x-xss (the new feature that allows you to find XSS vectors in messages)
Description
Details
- Risk Rating
- Low
- Author Affiliation
- Wikimedia Communities
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Prevent XSS via messages in PageTriage | mediawiki/extensions/PageTriage | master | +32 -20 |
Related Objects
- Mentioned In
- T347726: CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights
T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0) - Mentioned Here
- T347726: CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights
Event Timeline
Assigning this to high since this is potentially exploitable by administrators on prod :(
(Change MediaWiki:Pagetriage-tags-quickfilter-label to <script>alert('Yo!')</script>, navigate to a page in the new pages feed and click the deletion or tag icon in the toolbar)
Thanks, though we do not ever consider message-layer XSS's to be high risk - many of them we just publicly merge in gerrit. I think we can likely get this deployed during this Monday's security deployment window.
I found a lot more XSS vectors in PageTriage via messages while browsing, so here is a patch that should fix everything I found (the previous/removed comment had a errenous patch):
At the very least, we'd need an updated patch that applies to wmf/1.42.0-wmf.7 and/or current master. The one above doesn't, even via a 3-way merge attempt:
error: modules/ext.pageTriage.views.list/ext.pageTriage.listControlNav.js: No such file or directory error: modules/ext.pageTriage.views.list/ext.pageTriage.listView.js: No such file or directory
Then we'd need a little code review. After that, we could deploy it during the next security deployment window (typically Monday afternoons in North America).
CR +1. Patch applies to current ext:PageTriage@master and seems correct at a glance from a security perspective (essentially just passing affected mw.msg() calls through .text() first). It'd be nice though if someone with a bit more familiarity with ext:PageTriage (@kostajh, @Umherirrender, @MPGuy2824) could provide +1 or +2 before we attempt another security-deploy with this updated patch.
I am not familiar with js code, but it looks like using other message function would be easier (mw.message( 'key' ).escaped(). Adding extra span tag could break user scripts.
mw.msg( 'key' ) is just a shortcut for mw.message( 'key' ).text(), so that would be minimal functional change.
The change in ToolView.js also adds the label tag, which is a good idea, but more as just a security patch.
So just can give CR +1 here.
Adding @jsn.sherman and @Scardenasmolinar as two engineers who have worked on this code recently and might want to comment.
Thanks, @kostajh. At some point we should probably just verify whether ?uselang=x-xss is producing any results anymore.
@kostajh thanks for tagging; @Scardenasmolinar and I will look at this together on Wednesday.
I can give a CR +2 for this. I agree with @Umherirrender's feedback, but this doesn't appear to break anything in manual testing, and this interface that is being patched is going away soon.
Ok, we can try to get this deployed during next Monday's security deployment window. cc: @Mstyles.
This patch was deployed, however there was an issue with the scap deploy command on host, so I've filed a phab ticket. If someone could verify the issue is fixed in production, that would be great.
I did a quick test on test.wikipedia.org (making sure some benign bolding does not get rendered) and it appears to not get rendered (i.e. the issue appears to be fixed) :)
@Soda thank you! This will go out in the next Security release for extensions which will be early January 2024
Change 989177 merged by jenkins-bot:
[mediawiki/extensions/PageTriage@master] Prevent XSS via messages in PageTriage
Fix was merged into master last week, but the patch was still in the deployment server, it's been removed now.