Page MenuHomePhabricator
Create Task
Maniphest T347742

CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss
Closed, ResolvedPublicSecurity
Actions

Assigned To
sbassett
Authored By
Dreamy_Jazz
Sep 29 2023, 5:29 PM
Tags
Referenced Files
F41696250: 02-T347742.patch
Jan 17 2024, 10:37 PM
F41695884: image.png
Jan 17 2024, 5:52 PM
F41695879: image.png
Jan 17 2024, 5:52 PM
F38217488: 01-T347742.patch
Oct 12 2023, 8:58 PM
Subscribers
Aklapper
Bawolff
Dreamy_Jazz
gerritbot
mmartorana
Mstyles
sbassett

Description

Steps to reproduce:

  1. Add $wgUseXssLanguage = true; to your LocalSettings.php
  2. Load http://localhost:8080/wiki/Special:MassMessage?uselang=x-xss

Expected behaviour: No alert messages are shown
Observed behaviour: An alert with the text massmessage-form-page-help is shown

Extra information
It seems that the HTMLFormField help field wraps the content in a HtmlArmor even though the description in HtmlForm says:

'help' -- message text for a message to use as a help text.

Ideally, it should be clearer that HTML is not escaped via this HTMLFormField attribute.

To fix this issue, the code should be updated to use the help-message attribute.

Details

Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-messagemediawiki/extensions/MassMessagemaster+1 -1
SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help messagemediawiki/extensions/MassMessagewmf/1.42.0-wmf.14+1 -1
SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help messagemediawiki/extensions/MassMessageREL1_40+1 -1
SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-messagemediawiki/extensions/MassMessageREL1_39+1 -1
SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help messagemediawiki/extensions/MassMessageREL1_41+1 -1
SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help messagemediawiki/extensions/MassMessagemaster+1 -1
SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-messagemediawiki/extensions/MassMessageREL1_40+1 -1
SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-messagemediawiki/extensions/MassMessageREL1_41+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Sep 29 2023, 5:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2023, 5:29 PM
Dreamy_Jazz added a project: MassMessage.Sep 29 2023, 5:29 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 5:32 PM
Bawolff subscribed.Sep 29 2023, 5:38 PM

Really it should just use help-message instead of help

Dreamy_Jazz added a comment.Sep 29 2023, 5:39 PM
In T347742#9211795, @Bawolff wrote:

Really it should just use help-message instead of help

Good point. Updated the description.

Bawolff added a comment.Sep 29 2023, 5:40 PM

We should also update phan-taint-check MWVisitor::detectHTMLForm to look for this

Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 5:40 PM
Bawolff added a comment.Sep 30 2023, 7:45 AM

Creating T347788 for the phan part.

sbassett edited projects, added SecTeam-Processed, Vuln-XSS; removed Security-Team.Oct 2 2023, 4:14 PM
sbassett changed the task status from Open to In Progress.EditedOct 12 2023, 8:58 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett added projects: Patch-For-Review, user-sbassett.
sbassett subscribed.

I believe the security patch should be as simple as:

01-T347742.patch1002 BDownload

sbassett moved this task from Backlog to In Progress on the user-sbassett board.Oct 12 2023, 8:59 PM
sbassett added a project: Security-Team.
sbassett attached a referenced file: F38217488: 01-T347742.patch. (Show Details)
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
Mstyles subscribed.Oct 16 2023, 10:06 PM
In T347742#9247905, @sbassett wrote:

I believe the security patch should be as simple as:

01-T347742.patch1002 BDownload

deployed

Mstyles mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 16 2023, 10:18 PM
Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Oct 16 2023, 11:37 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.Jan 10 2024, 5:26 PM
sbassett added a subscriber: gerritbot.Jan 17 2024, 3:50 PM

backports: https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c

mmartorana renamed this task from MassMessage i18n key massmessage-form-page-help allows i18n-xss to CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss.Jan 17 2024, 4:16 PM
gerritbot added a comment.Jan 17 2024, 4:25 PM

Change 991327 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@REL1_41] SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-message

https://gerrit.wikimedia.org/r/991327

gerritbot added a comment.Jan 17 2024, 4:33 PM

Change 991326 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@REL1_40] SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-message

https://gerrit.wikimedia.org/r/991326

gerritbot added a comment.Jan 17 2024, 4:37 PM

Change 991080 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@master] SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-message

https://gerrit.wikimedia.org/r/991080

Jdforrester-WMF added projects: MW-1.42-notes (1.42.0-wmf.15; 2024-01-23), MW-1.40-notes, MW-1.41-notes, MW-1.39-notes.Jan 17 2024, 5:03 PM
mmartorana closed this task as Resolved.Jan 17 2024, 5:22 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 17 2024, 5:34 PM
Dreamy_Jazz added a subscriber: mmartorana.Jan 17 2024, 5:47 PM

@mmartorana @sbassett I've just noticed that the patch was incorrect as the help-message key value is provided the text of the message and not the message object / message key. This means that the current page does not display the help message.

Dreamy_Jazz added a comment.Jan 17 2024, 5:52 PM

The help message should have shown underneath the first textbox in this screenshot:

image.png (302×1 px, 36 KB)

When I use the qqx language, you can see the message key wrapped in two sets of parentheses:

image.png (164×1 px, 15 KB)

sbassett added a comment.EditedJan 17 2024, 6:25 PM
In T347742#9466614, @Dreamy_Jazz wrote:

@mmartorana @sbassett I've just noticed that the patch was incorrect as the help-message key value is provided the text of the message and not the message object / message key. This means that the current page does not display the help message.

Ugh, thanks for catching this. I think it likely just needs to be help-message => massmessage-form-page-help, since help-message keys should be sanitized via parse() in this context. I'll test locally and get a patch up soon, which we can then review, deploy and add as a correction to T347659 and T276237.

gerritbot added a comment.Jan 17 2024, 10:32 PM

Change 991446 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/MassMessage@master] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991446

sbassett added a comment.Jan 17 2024, 10:37 PM
In T347742#9466737, @sbassett wrote:

Ugh, thanks for catching this. I think it likely just needs to be help-message => massmessage-form-page-help, since help-message keys should be sanitized via parse() in this context. I'll test locally and get a patch up soon, which we can then review, deploy and add as a correction to T347659 and T276237.

I tested and confirmed the above solution locally via MediaWiki docker. It fixes the double-parentheses while still escaping the message (no alert executed when testing with $wgUseXssLanguage = true;). Hopefully we can get the master patch merged soon and then backported to the relevant release branches. And we'll want to pick to 1.42.0-wmf.13 and 1.42.0-wmf.14 or just do an ad-hoc security deploy with the following patch (same as the gerrit patch above):

02-T347742.patch1 KBDownload

And then finally update the supplemental release task T347659 and T276237.

gerritbot added a comment.Jan 18 2024, 9:41 AM

Change 991446 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@master] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991446

gerritbot added a comment.Jan 18 2024, 10:03 AM

Change 991548 had a related patch set uploaded (by Dreamy Jazz; author: SBassett):

[mediawiki/extensions/MassMessage@REL1_41] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991548

gerritbot added a comment.Jan 18 2024, 10:03 AM

Change 991549 had a related patch set uploaded (by Dreamy Jazz; author: SBassett):

[mediawiki/extensions/MassMessage@REL1_40] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991549

Dreamy_Jazz added a comment.Jan 18 2024, 10:05 AM
In T347742#9467342, @sbassett wrote:
In T347742#9466737, @sbassett wrote:

Ugh, thanks for catching this. I think it likely just needs to be help-message => massmessage-form-page-help, since help-message keys should be sanitized via parse() in this context. I'll test locally and get a patch up soon, which we can then review, deploy and add as a correction to T347659 and T276237.

I tested and confirmed the above solution locally via MediaWiki docker. It fixes the double-parentheses while still escaping the message (no alert executed when testing with $wgUseXssLanguage = true;). Hopefully we can get the master patch merged soon and then backported to the relevant release branches. And we'll want to pick to 1.42.0-wmf.13 and 1.42.0-wmf.14 or just do an ad-hoc security deploy with the following patch (same as the gerrit patch above):

02-T347742.patch1 KBDownload

And then finally update the supplemental release task T347659 and T276237.

Thanks. I've +2'd and +2'd backports of this change (the REL1_39 change was a merge conflict, so I've fixed it and +2'd that one instead of backporting this bug fix).

gerritbot added a comment.Jan 18 2024, 10:09 AM

Change 991548 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@REL1_41] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991548

gerritbot added a comment.Jan 18 2024, 10:10 AM

Change 991332 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@REL1_39] SECURITY: Properly escape massmessage-form-page-help by specifying it as a help-message

https://gerrit.wikimedia.org/r/991332

gerritbot added a comment.Jan 18 2024, 10:10 AM

Change 991549 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@REL1_40] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991549

gerritbot added a comment.Jan 18 2024, 12:05 PM

Change 991552 had a related patch set uploaded (by Dreamy Jazz; author: SBassett):

[mediawiki/extensions/MassMessage@wmf/1.42.0-wmf.14] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991552

Dreamy_Jazz added a comment.Jan 18 2024, 12:06 PM

I've created a backport for it for wmf.14 and will deploy it now.

Stashbot added a comment.Jan 18 2024, 12:07 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-18T12:07:52Z] <Dreamy_Jazz> Doing security deploy for T347742

gerritbot added a comment.Jan 18 2024, 12:15 PM

Change 991552 merged by jenkins-bot:

[mediawiki/extensions/MassMessage@wmf/1.42.0-wmf.14] SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message

https://gerrit.wikimedia.org/r/991552

Stashbot added a comment.Jan 18 2024, 12:18 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-18T12:18:45Z] <dreamyjazz@deploy2002> Started scap: Backport for [[gerrit:991552|SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message (T347742)]]

Stashbot added a comment.Jan 18 2024, 12:20 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-18T12:20:38Z] <dreamyjazz@deploy2002> dreamyjazz: Backport for [[gerrit:991552|SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message (T347742)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jan 18 2024, 12:27 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-18T12:27:13Z] <dreamyjazz@deploy2002> Finished scap: Backport for [[gerrit:991552|SECURITY: Use message label instead of sanitized text output for massmessage-form-page-help message (T347742)]] (duration: 08m 28s)

Stashbot added a comment.Jan 18 2024, 12:27 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-18T12:27:30Z] <Dreamy_Jazz> Finished security deploy for T347742

sbassett added a comment.Jan 18 2024, 3:47 PM

Hey @Dreamy_Jazz - Thanks for all of the work on this and getting the backports done and the update deployed. Thankfully this fix only needs to live in Wikimedia production until next week's train. I'll go ahead and update T347659 and T276237 now.

sbassett mentioned this in T356971: Rename help key to help-raw in HTMLForm and deprecate old key name.Feb 8 2024, 5:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL