Page MenuHomePhabricator
Create Task
Maniphest T347746

CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message
Closed, ResolvedPublicSecurity
Actions

Description

Steps to reproduce

  1. Add $wgUseXssLanguage = true; to your LocalSettings.php (a new feature from T340201)
  2. Load http://localhost:8080/wiki/Special:GlobalBlock?uselang=x-xss

Expected behaviour: No alert boxes are shown
Observed behaviour: An alert box is shown with the text content parentheses

Extra information
A usage of the parentheses message via ::text is not escaped for display in GlobalBlocking::buildSubtitleLinks.

Details

Risk Rating
Medium
Author Affiliation
WMF Technology

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Sep 29 2023, 5:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2023, 5:48 PM
Dreamy_Jazz updated the task description. (Show Details)Sep 29 2023, 5:48 PM
Dreamy_Jazz added a project: GlobalBlocking.
Dreamy_Jazz renamed this task from Special:GlobalBlock has i18n-xss for parentheses message to GlobalBlocking subtitle links have i18n-xss via the parentheses message.Sep 29 2023, 5:50 PM
Bawolff subscribed.Sep 29 2023, 6:23 PM

I guess OutputPage::addSubtitle could use a taint annotation. I'm unsure if current phan-taint-check can handle String|Message types, although i thought we were getting rid of that in T343849

sbassett edited projects, added SecTeam-Processed, Vuln-XSS; removed Security-Team.Oct 2 2023, 4:15 PM
sbassett subscribed.EditedOct 2 2023, 9:03 PM

There are only two instances of the parentheses message within ext:GlobalBlocklist, according to codesearch, and one of them was already escaped. Proposed patch to escape the remaining instance:

01-T347746.patch810 BDownload

(this could probably just go through gerrit, tbh)

sbassett changed the task status from Open to In Progress.Oct 2 2023, 9:03 PM
sbassett triaged this task as Medium priority.
sbassett changed Risk Rating from N/A to Medium.
sbassett added a project: Patch-For-Review.
Bawolff added a comment.Oct 4 2023, 3:25 PM

patch lgtm btw

Bawolff added a comment.Oct 4 2023, 3:44 PM

change to mark OutputPage::addSubtitle as being an XSS sink https://gerrit.wikimedia.org/r/c/mediawiki/core/+/963341

sbassett added a project: Security-Team.Oct 4 2023, 3:49 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett closed this task as Resolved.Oct 16 2023, 9:31 PM
sbassett claimed this task.
sbassett removed a project: Patch-For-Review.
sbassett added subscribers: Umherirrender, taavi.

So, it looks like this got fixed publicly here: https://gerrit.wikimedia.org/r/964029 and then further fixed here: https://gerrit.wikimedia.org/r/965200. So I guess we're good :)

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2023, 9:31 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Mstyles mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 16 2023, 10:40 PM
Mstyles moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Oct 16 2023, 11:38 PM
Umherirrender updated the task description. (Show Details)Oct 19 2023, 4:14 PM
Umherirrender added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).Oct 19 2023, 4:17 PM
mmartorana renamed this task from GlobalBlocking subtitle links have i18n-xss via the parentheses message to CVE-2024-23179: GlobalBlocking subtitle links have i18n-xss via the parentheses message.Jan 17 2024, 4:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits