Page MenuHomePhabricator

CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message
Closed, ResolvedPublicSecurity

Description

Steps to reproduce

  1. Add $wgUseXssLanguage = true; to your LocalSettings.php (a new feature from T340201)
  2. Load http://localhost:8080/wiki/Special:GlobalBlock?uselang=x-xss

Expected behaviour: No alert boxes are shown
Observed behaviour: An alert box is shown with the text content parentheses

Extra information
A usage of the parentheses message via ::text is not escaped for display in GlobalBlocking::buildSubtitleLinks.

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept

Event Timeline

Dreamy_Jazz renamed this task from Special:GlobalBlock has i18n-xss for parentheses message to GlobalBlocking subtitle links have i18n-xss via the parentheses message.Sep 29 2023, 5:50 PM

I guess OutputPage::addSubtitle could use a taint annotation. I'm unsure if current phan-taint-check can handle String|Message types, although i thought we were getting rid of that in T343849

There are only two instances of the parentheses message within ext:GlobalBlocklist, according to codesearch, and one of them was already escaped. Proposed patch to escape the remaining instance:


(this could probably just go through gerrit, tbh)

sbassett changed the task status from Open to In Progress.Oct 2 2023, 9:03 PM
sbassett triaged this task as Medium priority.
sbassett changed Risk Rating from N/A to Medium.
sbassett added a project: Patch-For-Review.
sbassett claimed this task.
sbassett removed a project: Patch-For-Review.
sbassett added subscribers: Umherirrender, taavi.

So, it looks like this got fixed publicly here: https://gerrit.wikimedia.org/r/964029 and then further fixed here: https://gerrit.wikimedia.org/r/965200. So I guess we're good :)

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2023, 9:31 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
mmartorana renamed this task from GlobalBlocking subtitle links have i18n-xss via the parentheses message to CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message.Jan 17 2024, 4:16 PM