Page MenuHomePhabricator
Create Task
Maniphest T347726

CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights
Closed, ResolvedPublicSecurity
Actions

Description

Steps to reproduce:

  1. Add $wgUseXssLanguage = true; to your LocalSettings.php (a new feature from T340201)
  2. Load Special:UserRights either logged out or using an administrator account
  3. Enter a username
  4. Press submit
  5. Add &uselang=x-xss to the end of the URL (to simulate message overrides in the MediaWiki namespace with JS code in them)

What happens:
Several alerts appear with messages with text matching the regex group-.*-member

What should happen:
No alert boxes should appear

Example:

image.png (1×2 px, 634 KB)

Extra information
While this may have been already found as part of the introduction and initial search for issues using $wgUseXssLanguage, I'm reporting it now as the latest security release was just released so it may not have been found.

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Sep 29 2023, 3:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2023, 3:49 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 3:50 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
sbassett subscribed.Sep 29 2023, 3:53 PM
  1. Add &uselang=x-xss to the end of the URL

I was going to say... I hope this wasn't just randomly occurring right now without the use of the new x-xss language feature.

Dreamy_Jazz added a project: MediaWiki-General.Sep 29 2023, 3:53 PM
Dreamy_Jazz updated the task description. (Show Details)
Reedy edited projects, added MediaWiki-User-management; removed MediaWiki-General.Sep 29 2023, 3:55 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 3:55 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 3:58 PM
Bawolff subscribed.EditedSep 29 2023, 4:32 PM

I was kind of curious as to why this wasn't caught by phan-taint-check and started investigating (Its probably because phan-taint-check is mostly disabled on logging class, as they mix plaintext and html in a very confusing way that phan-taint-check does not understand).

It seems like the issue is not Special:UserRights, but Special:Log/rights which gets included on other pages. Anyways, here's a patch.

T347726.patch1 KBDownload

[Not clear if we consider i18n-xss a secret security issue or a just put it on gerrit issue]

Bawolff renamed this task from group-.*-member messages are not properly escaped on Special:UserRights to group-.*-member messages are not properly escaped on Special:log/rights.Sep 29 2023, 4:35 PM
Bawolff added a comment.Sep 29 2023, 4:39 PM

I also wonder if this is a good argument for refactoring the LogFormatter classes. The runtime mixing of html/plaintext based on $this->plaintext is quite confusing to understand, both for humans and computers imo.

Dreamy_Jazz added a comment.Sep 29 2023, 5:20 PM
In T347726#9211582, @Bawolff wrote:

I was kind of curious as to why this wasn't caught by phan-taint-check and started investigating (Its probably because phan-taint-check is mostly disabled on logging class, as they mix plaintext and html in a very confusing way).

It seems like the issue is not Special:UserRights, but Special:Log/rights which gets included on other pages. Anyways, here's a patch.

T347726.patch1 KBDownload

[Not clear if we consider i18n-xss a secret security issue or a just put it on gerrit issue]

Does it make sense to modify Language::getGroupMemberName? No particular opposition to the method you have put forward, but that is where the messages are defined and returned from using ::text.

Bawolff added a comment.Sep 29 2023, 5:27 PM

I think its generally better to escape closer to where things are outputted. It makes it easier to keep track of what is and isn't escaped.

Dreamy_Jazz added a comment.Sep 29 2023, 5:30 PM
In T347726#9211582, @Bawolff wrote:

I was kind of curious as to why this wasn't caught by phan-taint-check and started investigating (Its probably because phan-taint-check is mostly disabled on logging class, as they mix plaintext and html in a very confusing way that phan-taint-check does not understand).

It seems like the issue is not Special:UserRights, but Special:Log/rights which gets included on other pages. Anyways, here's a patch.

T347726.patch1 KBDownload

[Not clear if we consider i18n-xss a secret security issue or a just put it on gerrit issue]

+2 to the patch.

Dreamy_Jazz moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Sep 29 2023, 5:31 PM
Mstyles subscribed.Oct 2 2023, 10:38 PM
In T347726#9211582, @Bawolff wrote:

I was kind of curious as to why this wasn't caught by phan-taint-check and started investigating (Its probably because phan-taint-check is mostly disabled on logging class, as they mix plaintext and html in a very confusing way that phan-taint-check does not understand).

It seems like the issue is not Special:UserRights, but Special:Log/rights which gets included on other pages. Anyways, here's a patch.

T347726.patch1 KBDownload

[Not clear if we consider i18n-xss a secret security issue or a just put it on gerrit issue]

This patch didn't apply for some reason. When I created my own version it worked, but I ended up not deploying my own version. I just wanted to some time to figure out what was happening with the original patch file.

taavi subscribed.Oct 3 2023, 7:31 AM
In T347726#9218081, @Mstyles wrote:

This patch didn't apply for some reason. When I created my own version it worked, but I ended up not deploying my own version. I just wanted to some time to figure out what was happening with the original patch file.

Please do not ever leave non-applying patches committed to /srv/patches or you will end up blocking any future deployments. I have dropped your patch to unblock deployments. There was also a commit on top of that adding a patch for T347704, which I have dropped too, since I'm not confident it was ever deployed and tested properly.

taavi mentioned this in T347704: CVE-2024-23174: XSS in `pagetriage-tags-quickfilter-label` PageTriage.Oct 3 2023, 8:06 AM
sbassett added a project: Patch-For-Review.Oct 3 2023, 2:48 PM

Thanks for looking into this, @taavi.

Not sure what happened with the patch for this bug. It appears to be a simple, one-line htmlspecialchars escape, but I can confirm that the original patch did not want to apply correctly to recent master. Not sure if the patch was manually edited or something. The underlying code certainly hasn't changed in a long time. Anyhow, here's a new patch that features the same one-line change that now applies to master, wmf/1.41.0-wmf.28 and wmf/1.41.0-wmf.29. Some additional CR would be nice:

01-T347726-rev2.patch993 BDownload

As for T347704, can you describe what, specifically, leads you to believe it wasn't properly tested? I know there's no explicit CR+2 on the bug, but did this fail some local CI you ran or produce a number of production errors while deployed? Providing any specific issues that you may have noticed that drove your assumption would be appreciated.

taavi added a comment.Oct 3 2023, 5:34 PM
In T347726#9220774, @sbassett wrote:

As for T347704, can you describe what, specifically, leads you to believe it wasn't properly tested? I know there's no explicit CR+2 on the bug, but did this fail some local CI you ran or produce a number of production errors while deployed? Providing any specific issues that you may have noticed that drove your assumption would be appreciated.

I'm not sure if it was applied/tested or not. I just know that the patch for this task not applying blocked scap deployments using scap's built-in patch applying mechanism, which meant that there was a possibility any patches added after this one were not deployed and I didn't want to take the risk of potentially deploying a patch I wasn't familiar with.

Bawolff added a comment.Oct 3 2023, 6:51 PM

I strongly don't understand what happened here, but looking at it in a hexdump, my patch used spaces for indenting, while scott's correctly used tabs.

Dreamy_Jazz added a comment.Oct 4 2023, 2:30 PM

Also I did find issues with this, but decided it must just be my local machine and made the same change as was in the patch to test it. The updated patch looks good too.

sbassett added a comment.EditedOct 4 2023, 3:38 PM

Ok, thanks, all. @Mstyles - I think we could try this one again (with my new patch above) during next Monday's (2023-10-09) security deployment window.

sbassett closed this task as Resolved.Oct 16 2023, 10:32 PM
sbassett claimed this task.
sbassett added a subscriber: Umherirrender.

So this ended up getting fixed publicly in gerrit: https://gerrit.wikimedia.org/r/q/I594f7e53baabd69fbb750695879b2c8acb8f2efe

sbassett triaged this task as Low priority.Oct 16 2023, 10:32 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett removed a project: Patch-For-Review.
sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
sbassett added projects: SecTeam-Processed, Vuln-XSS.
Mstyles added a parent task: T347649: Release MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0.Oct 16 2023, 11:35 PM
Umherirrender updated the task description. (Show Details)Oct 19 2023, 4:16 PM
Umherirrender added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).Oct 19 2023, 4:18 PM
Reedy edited parent tasks, added: T347650: Tracking bug for MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0; removed: T347649: Release MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0.Dec 18 2023, 3:29 PM
Reedy renamed this task from group-.*-member messages are not properly escaped on Special:log/rights to CVE-2023-PENDING: group-.*-member messages are not properly escaped on Special:log/rights.Dec 18 2023, 3:33 PM
Reedy mentioned this in T347651: Obtain CVEs for 1.35.14/1.39.6/1.40.2/1.41.0 security releases.
Reedy renamed this task from CVE-2023-PENDING: group-.*-member messages are not properly escaped on Special:log/rights to CVE-2023-51704: group-.*-member messages are not properly escaped on Special:log/rights.Dec 22 2023, 1:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits