Page MenuHomePhabricator
Create Task
Maniphest T348687

CVE-2024-23173: Reflected XSS Could Lead to Steal User Cookie
Closed, ResolvedPublicSecurity
Actions

Assigned To
Yaron_Koren
Authored By
Kamalinux
Oct 11 2023, 7:56 PM
Tags
Referenced Files
F38210781: Screenshot 2023-10-09 at 18-01-03 Special Version.png
Oct 11 2023, 7:56 PM
F38210557: Screenshot 2023-10-09 164502.png
Oct 11 2023, 7:56 PM
F38210549: Screenshot 2023-10-09 165529.png
Oct 11 2023, 7:56 PM
F38210499: Screenshot 2023-10-09 164040.png
Oct 11 2023, 7:56 PM
Subscribers
Aklapper
DannyS712
Kamalinux
sbassett
Yaron_Koren

Description

The Special:Drilldown page is vulnerable to XSS via (artist, album and position parameters) the bug could lead to exfiltrate other user cookies by sending them the vulnerable URL. This bug was discovered while hunting in a private bug bounty program.

Test Version

MediaWiki 1.39.3 (9fef5a1) 09:05, 6 June 2023

Step-by-step:

  1. Access Special:Drilldown page and try to filter the result by clicking on any artist name or position.

Screenshot 2023-10-09 164040.png (626×1 px, 103 KB)

  1. Now enter this payload <img src=x onerror=alert(1)> in the URL parameter. For examples:

Screenshot 2023-10-09 165529.png (931×1 px, 111 KB)

Screenshot 2023-10-09 164502.png (977×1 px, 136 KB)

Exploit:

To exploit this bug we need to set up our webhook server and the URL to send it to the web admin via email, once the admin opened the link the cookie will be sent to the attacker.

All Extensions

Screenshot 2023-10-09 at 18-01-03 Special Version.png (7×1 px, 1 MB)

Remediation:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Details

Risk Rating
Medium
Author Affiliation
Other (Please specify in description)
SubjectRepoBranchLines +/-
Add escaping of applied filter valuesmediawiki/extensions/Cargomaster+3 -0
Customize query in gerrit

Related Objects

Event Timeline

Kamalinux created this task.Oct 11 2023, 7:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2023, 7:56 PM
DannyS712 added projects: MediaWiki-extensions-Cargo, Vuln-XSS.Oct 11 2023, 8:15 PM
DannyS712 added subscribers: Yaron_Koren, DannyS712.

Special:Drilldown comes from Cargo; adding Yaron who I don't think has security access

Yaron_Koren added a comment.Oct 11 2023, 11:21 PM

@Kamalinux - thanks for pointing that out; I think this is fixed now:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214

Kamalinux added a comment.Oct 12 2023, 12:15 AM

Hello @Yaron_Koren - Thank you for your prompt response and quick action in fixing.

Yaron_Koren closed this task as Resolved.Oct 12 2023, 1:09 AM
Yaron_Koren claimed this task.
Kamalinux added a comment.Oct 12 2023, 9:42 AM

Hello @Yaron_Koren - Will you submit a request to assign a CVE ID to this vulnerability?

Yaron_Koren added a comment.Oct 12 2023, 12:48 PM

I don't know anything about CVE IDs, so - no.

Kamalinux added a comment.Oct 12 2023, 1:14 PM

You can know What is a CVE? by reading this article. And also looking at this report or this search.

sbassett subscribed.Oct 12 2023, 2:56 PM

@Kamalinux - As Cargo is a community-maintained MediaWiki extension (not maintained in any way by the Wikimedia Foundation), it is up to the maintainers of the extension as to how they wish to disclose an issue and whether or not they wish to request a CVE. There is absolutely no requirement on their end to request a CVE.

sbassett triaged this task as Medium priority.Oct 12 2023, 2:56 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
sbassett changed Author Affiliation from N/A to Other (Please specify in description).
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 12 2023, 3:00 PM
Kamalinux added a comment.Oct 12 2023, 3:46 PM

No problem, thanks @sbassett

Mstyles renamed this task from Reflected XSS Could Lead to Steal User Cookie to CVE-2024-23173: Reflected XSS Could Lead to Steal User Cookie.Jan 16 2024, 6:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits