Page MenuHomePhabricator
Create Task
Maniphest T348343

CVE-2024-23171: Various i18n-based XSSs in Special:EventDetails
Closed, ResolvedPublicSecurity
Actions

Description

In Special:EventDetails, there are a bunch of i18n-based XSSs reproducible via the x-xss language. To reproduce,

To reproduce:

  1. First, you need to choose the right wiki. The easiest way is to do this locally, enabling the x-xss language setting in your LS.php. Else you can use the beta cluster, but you will have to add HTML to the messages mentioned below for the XSS to show.
  2. Then, you will first need to create an event:
    1. Make sure you're logged-in
    2. Create a page in the Event: namespace
    3. In the popup that appears post-save, click "Enable registration"
    4. Fill out the form (just the dates are required), submit.
    5. Click the link to go back to the event page
    6. Now you need to register for the event as a participant. Ideally, you need to do this with at least 3 different accounts. When you open the event page as a non-organizer, you will find a "Register for event" button to do that.
  3. Once you have an event with at least 3 participants, click the "manage event" button in the event page (or go to Special:EventDetails/X where X is the ID of your event, if you know it)
  4. Switch to the "Participants" tab

Once you're there, there are a bunch of XSSs you can reproduce in different ways.

  1. Click the checkbox in the table header. You will see an alert from the campaignevents-email-participants-all message.
  2. Then, individually unselect 2 of the participants. You will see another alert from the campaignevents-email-participants-except-count message.
  3. Then, deselect everyone and individually select 2 participants. You'll get another alert from the campaignevents-email-participants-count message.

The root cause of these is the same: the code in question uses .append() instead of .text().

Note that this code is relatively recent (r936290, r944928), only included in wmf.41 branches, and only enabled in a few wikis (see wmgUseCampaignEvents).

Details

Risk Rating
Medium
Author Affiliation
WMF Product
SubjectRepoBranchLines +/-
SECURITY: Fix XSSs in EmailManager.jsmediawiki/extensions/CampaignEventsmaster+3 -3
SECURITY: Fix XSSs in EmailManager.jsmediawiki/extensions/CampaignEventsREL1_41+3 -3
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Oct 6 2023, 6:09 PM
Restricted Application added a subscriber: Aklapper. ยท View Herald TranscriptOct 6 2023, 6:09 PM
Daimona added projects: Campaigns-Product-Team (Campaign-Tools-Current-Sprint), CampaignEvents, Campaign-Registration.Oct 6 2023, 6:11 PM
Daimona added subscribers: cmelo, MHorsey-WMF, VPuffetMichel and 2 others.
Daimona added a subscriber: sbassett.Oct 6 2023, 6:19 PM

@sbassett Even though the code is recent, not enabled in many wikis etc., I assume we may not want to fix this in gerrit, so here's the patch:

T348343.patch1 KBDownload

Daimona claimed this task.Oct 6 2023, 6:21 PM
Daimona moved this task from Upcoming / refining ๐Ÿ’ก to Code Review ๐Ÿ’ฌ on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.
Daimona added a project: Vuln-XSS.Oct 6 2023, 9:26 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.EditedOct 6 2023, 9:34 PM
sbassett added a project: SecTeam-Processed.
In T348343#9231760, @Daimona wrote:

@sbassett Even though the code is recent, not enabled in many wikis etc., I assume we may not want to fix this in gerrit, so here's the patch:

T348343.patch1 KBDownload

Yep, that's always the safest bet, even if we sometimes handle these message issues publicly. We can likely get this deployed during next Monday's (2023-10-09) security deployment window. CR+2 to the patch, by the way.

Daimona added a comment.Oct 9 2023, 2:27 PM
In T348343#9232393, @sbassett wrote:

We can likely get this deployed during next Monday's (2023-10-09) security deployment window.

Thanks! I'll be available on IRC as usual if you need anything.

Daimona added a comment.Oct 16 2023, 1:53 PM

@sbassett I think this didn't make last Monday's window. Could it be done today? I'll be around if needed.

sbassett added a subscriber: Mstyles.Oct 16 2023, 1:57 PM
In T348343#9253838, @Daimona wrote:

@sbassett I think this didn't make last Monday's window. Could it be done today? I'll be around if needed.

Yes, due to the US holiday. @Mstyles or I will try to get this out today for sure.

Mstyles added a comment.Oct 16 2023, 10:06 PM
In T348343#9231760, @Daimona wrote:

@sbassett Even though the code is recent, not enabled in many wikis etc., I assume we may not want to fix this in gerrit, so here's the patch:

T348343.patch1 KBDownload

deployed

Daimona moved this task from Code Review ๐Ÿ’ฌ to Blocked โ›” on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.Oct 16 2023, 10:12 PM

Thanks! Marking this as blocked pending public fix.

Mstyles added a comment.Oct 16 2023, 10:16 PM

The public fix will come out mid December when we do the supplemental release @Daimona

Mstyles mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 16 2023, 10:18 PM
Daimona added a comment.Oct 16 2023, 10:21 PM
In T348343#9255797, @Mstyles wrote:

The public fix will come out mid December when we do the supplemental release @Daimona

Is this the process to apply in this case, given that the vulnerable code is in master only? And also in REL1_41, but that's still beta, and not a release yet.

Mstyles added a comment.Oct 16 2023, 10:24 PM

@Daimona the code will be applied to master and then 1.41 when that's released at the end of this quarter

sbassett added a comment.Oct 16 2023, 10:37 PM
In T348343#9255809, @Daimona wrote:

Is this the process to apply in this case, given that the vulnerable code is in master only? And also in REL1_41, but that's still beta, and not a release yet.

Since ext:CampaignEvents isn't bundled with the core release, this issue could theoretically be disclosed and backported at any time, now that a fix is in Wikimedia production. The supplemental security release, released at the end of each quarter by the Security-Team, is more of a catch-all, as it will disclose anything that hasn't been disclosed or re-announce an issue if it has already been disclosed.

Daimona added a comment.Oct 16 2023, 11:01 PM

Yeah, I guess my point was: the vulnerable code was introduced recently, and no MW release is affected. Only 1.41 will be affected, if the fix is not pushed and backported before the release date (which I believe will be in November). But then again, given that 1.41 has not been released yet, I thought in this case we could make the fix in master and backport it to REL1_41, so that it would be included in 1.41.0.

As you said, this maybe doesn't make much sense given that the extension isn't in the tarball. But OTOH, REL1_41 of the extension should only work with MW 1.41, and because that's still not a thing, nobody should be using REL1_41 just yet.

At any rate, it doesn't really make much difference, except for the (small?) overhead of tracking an additional security patch applied in production. I just thought this could've gone through a simpler process.

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Oct 16 2023, 11:39 PM
sbassett added a comment.Oct 17 2023, 9:00 PM
In T348343#9255927, @Daimona wrote:

At any rate, it doesn't really make much difference, except for the (small?) overhead of tracking an additional security patch applied in production. I just thought this could've gone through a simpler process.

Sure. It's completely fine to make this task public now if that's what you and/or other CampaignEvents developers would like to do. And then send a change set up to gerrit for master and any other relevant branches.

Daimona added a comment.Oct 17 2023, 10:27 PM
In T348343#9259728, @sbassett wrote:
In T348343#9255927, @Daimona wrote:

At any rate, it doesn't really make much difference, except for the (small?) overhead of tracking an additional security patch applied in production. I just thought this could've gone through a simpler process.

Sure. It's completely fine to make this task public now if that's what you and/or other CampaignEvents developers would like to do. And then send a change set up to gerrit for master and any other relevant branches.

I think it should be fairly safe to do so, but would like to hear from @cmelo @MHorsey-WMF @VPuffetMichel.

Daimona mentioned this in T349312: CVE-2024-23178: XSS in Phonos via the phonos-purge-needed-error message.Oct 19 2023, 8:36 PM
Daimona moved this task from Blocked โ›” to Upcoming / refining ๐Ÿ’ก on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.Oct 24 2023, 8:10 PM
Daimona moved this task from Upcoming / refining ๐Ÿ’ก to Code Review ๐Ÿ’ฌ on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.
MHorsey-WMF added a comment.Nov 2 2023, 1:12 PM
In T348343#9260290, @Daimona wrote:
In T348343#9259728, @sbassett wrote:
In T348343#9255927, @Daimona wrote:

At any rate, it doesn't really make much difference, except for the (small?) overhead of tracking an additional security patch applied in production. I just thought this could've gone through a simpler process.

Sure. It's completely fine to make this task public now if that's what you and/or other CampaignEvents developers would like to do. And then send a change set up to gerrit for master and any other relevant branches.

I think it should be fairly safe to do so, but would like to hear from @cmelo @MHorsey-WMF @VPuffetMichel.

Agreed, we should go ahead asap

VPuffetMichel added a comment.Nov 2 2023, 2:16 PM

Agreed. What would it take to do so?

sbassett triaged this task as Medium priority.Nov 2 2023, 3:02 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett added a subscriber: gerritbot.Nov 2 2023, 3:06 PM
In T348343#9301825, @VPuffetMichel wrote:

Agreed. What would it take to do so?

I've just made this task public (folks with certain acl*security access can do so). So now it should be possible for folks to push up any relevant backports through gerrit and have the bot comment here. Once the patch has been merged to master, it should then be removed from WMF production as a security patch, typically during the following week's train deploys. And we'll still plan to re-announce this at the end of the quarter with the supplemental security release (T347659).

gerritbot added a comment.Nov 2 2023, 5:21 PM

Change 971248 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@master] SECURITY: Fix XSSs in EmailManager.js

https://gerrit.wikimedia.org/r/971248

gerritbot added a project: Patch-For-Review.Nov 2 2023, 5:21 PM

Change 971183 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/extensions/CampaignEvents@REL1_41] SECURITY: Fix XSSs in EmailManager.js

https://gerrit.wikimedia.org/r/971183

Daimona added a comment.Nov 2 2023, 5:26 PM

@sbassett Thanks! I've pushed a fix for master and cherry-picked that to REL1_41. Should I ping someone to remind them of removing the patch from production when it's merged on gerrit?

sbassett added a comment.Nov 2 2023, 8:17 PM
In T348343#9302830, @Daimona wrote:

@sbassett Thanks! I've pushed a fix for master and cherry-picked that to REL1_41. Should I ping someone to remind them of removing the patch from production when it's merged on gerrit?

scap should throw an error when the patch no longer applies, when releng attempt to stage the train. But I can keep watching this task, and when the change set for master gets merged, I'll remove the patch from T276237 and any future release dirs within /srv/patches on deployment.

gerritbot added a comment.Nov 6 2023, 8:01 AM

Change 971183 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@REL1_41] SECURITY: Fix XSSs in EmailManager.js

https://gerrit.wikimedia.org/r/971183

gerritbot added a comment.Nov 6 2023, 8:02 AM

Change 971248 merged by jenkins-bot:

[mediawiki/extensions/CampaignEvents@master] SECURITY: Fix XSSs in EmailManager.js

https://gerrit.wikimedia.org/r/971248

Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 8:10 AM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.4; 2023-11-07).Nov 6 2023, 9:01 AM
Daimona moved this task from Code Review ๐Ÿ’ฌ to Done ๐Ÿ on the Campaigns-Product-Team (Campaign-Tools-Current-Sprint) board.Nov 6 2023, 2:14 PM

Our part is done, I'll leave this open until the private security patch is removed from production.

Daimona moved this task from Backlog to Bugs on the CampaignEvents board.Nov 10 2023, 5:58 PM
Mstyles renamed this task from Various i18n-based XSSs in Special:EventDetails to CVE-2024-23171: Various i18n-based XSSs in Special:EventDetails.Jan 16 2024, 6:42 PM
Mstyles closed this task as Resolved.Jan 16 2024, 9:50 PM
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.

@Daimona I did remove the patch from production

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL ยท Credits