Page MenuHomePhabricator
Create Task
Maniphest T349312

CVE-2024-23178: XSS in Phonos via the phonos-purge-needed-error message
Closed, ResolvedPublicSecurity
Actions

Description

In PhonosButton.js, the unescaped message text is appended to the page content:

this.getPopup().$body.append(
	$( '<p>' ).append(
		mw.message( 'phonos-purge-needed-error' ).text() + '&nbsp;',
		$link
	)
);

This is vulnerable to an i18n-based XSS because the phonos-purge-needed-error message is user-controlled. You can reproduce the vulnerability by putting something unsafe in the message content (e.g., by using the x-xss language), and then triggering the handleMissingFile() function.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
PhonosButton: use text() instead of append()mediawiki/extensions/PhonosREL1_40+1 -1
PhonosButton: ensure link is also shown in 'purge needed' errormediawiki/extensions/PhonosREL1_41+2 -2
PhonosButton: use text() instead of append()mediawiki/extensions/PhonosREL1_41+1 -1
PhonosButton: ensure link is also shown in 'purge needed' errormediawiki/extensions/Phonosmaster+2 -2
PhonosButton: use text() instead of append()mediawiki/extensions/Phonoswmf/1.42.0-wmf.1+1 -1
PhonosButton: use text() instead of append()mediawiki/extensions/Phonosmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Oct 19 2023, 3:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2023, 3:31 PM
Daimona added projects: Vuln-XSS, MediaWiki-extensions-Phonos.Oct 19 2023, 3:31 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptOct 19 2023, 3:31 PM
TheresNoTime edited projects, added Community-Tech (CommTech-Kanban); removed Community-Tech.Oct 19 2023, 5:45 PM
MusikAnimal claimed this task.Oct 19 2023, 6:34 PM
MusikAnimal moved this task from Ready 🎬 to In Development 💻 on the Community-Tech (CommTech-Kanban) board.
MusikAnimal moved this task from In Development 💻 to Review/Feedback 💬 on the Community-Tech (CommTech-Kanban) board.Oct 19 2023, 6:46 PM

Intentionally vague public patch at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Phonos/+/967269

I think it's fine for it to be public as there's no malicious overrides and even if there were, the conditions under which you could encounter this code path in production is unlikely to occur.

Nonetheless we'll get the fix deployed today. Thanks for identifying this exploit!

MusikAnimal added a comment.Oct 19 2023, 6:52 PM

@Daimona just curious if you found this by circumstance, or if you have some tooling we should be aware of? I know uselang=x-xss is relatively new, but even using that you can't repro this under normal conditions.

MusikAnimal mentioned this in rEPHN961c810ddb24: PhonosButton: use text() instead of append().Oct 19 2023, 6:53 PM
Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.2; 2023-10-24).Oct 19 2023, 8:16 PM
Daimona added a comment.Oct 19 2023, 8:36 PM
In T349312#9266441, @MusikAnimal wrote:

@Daimona just curious if you found this by circumstance, or if you have some tooling we should be aware of? I know uselang=x-xss is relatively new, but even using that you can't repro this under normal conditions.

I found it by pure chance :) I got the phonos-purge-needed-error error for a page in production, and I wanted to see what could've caused it. I came across the code in question, and immediately realized that it's vulnerable because I had found similar XSS vulnerabilities just a couple weeks ago (T348343).

Daimona added a comment.Oct 19 2023, 8:54 PM

BTW, I was looking at the fix in r967269 but that doesn't work here, because "&nbsp" gets escaped by .text(), and the second argument ($link) is ignored. An alternative would be to replace .text() with .escaped(), but keep using .append(). I don't want to write this on gerrit in case it gives away the real purpose of the patch :)

HMonroy mentioned this in rEPHNd2ef19d16ff9: PhonosButton: use text() instead of append().Oct 19 2023, 9:26 PM
MusikAnimal mentioned this in rEPHN9166b5ae335c: PhonosButton: ensure link is also shown in 'purge needed' error.Oct 19 2023, 9:54 PM
MusikAnimal added a comment.Oct 19 2023, 10:07 PM

BTW, I was looking at the fix in r967269 but that doesn't work here, because "&nbsp" gets escaped by .text(), and the second argument ($link) is ignored. An alternative would be to replace .text() with .escaped(), but keep using .append(). I don't want to write this on gerrit in case it gives away the real purpose of the patch :)

Thanks for catching that! I guess that's why we used append() in the first place :)

Follow-up patch (now merged) at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Phonos/+/967311/

The first patch does fix the exploit and has already been deployed, so this task is safe to be open now.

MusikAnimal mentioned this in rEPHN9ef16ddde57a: PhonosButton: use text() instead of append().Oct 19 2023, 10:20 PM
MusikAnimal mentioned this in rEPHN2e1ebce524ec: PhonosButton: ensure link is also shown in 'purge needed' error.Oct 19 2023, 10:40 PM
Jdforrester-WMF edited projects, added MW-1.42-notes (1.42.0-wmf.1; 2023-10-17), MW-1.41-notes; removed MW-1.42-notes (1.42.0-wmf.2; 2023-10-24).Oct 20 2023, 12:13 AM
HMonroy moved this task from Review/Feedback 💬 to QA 🐛 on the Community-Tech (CommTech-Kanban) board.Oct 20 2023, 5:26 AM
MusikAnimal changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 20 2023, 8:08 PM
MusikAnimal closed this task as Resolved.Oct 20 2023, 8:11 PM
MusikAnimal moved this task from QA 🐛 to Done 🏁 on the Community-Tech (CommTech-Kanban) board.

I've made the task public now that this is patched in production.

As this is very tricky to reproduce, I'm going to be bold and skip QA.

Thanks all for the help!

sbassett triaged this task as Low priority.Oct 20 2023, 8:22 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
gerritbot added a comment.Jan 17 2024, 3:22 PM

Change 991335 had a related patch set uploaded (by Mmartorana; author: MusikAnimal):

[mediawiki/extensions/Phonos@REL1_40] PhonosButton: use text() instead of append()

https://gerrit.wikimedia.org/r/991335

gerritbot added a project: Patch-For-Review.Jan 17 2024, 3:22 PM
mmartorana renamed this task from XSS in Phonos via the phonos-purge-needed-error message to CVE-2024-23178: XSS in Phonos via the phonos-purge-needed-error message.Jan 17 2024, 4:17 PM
gerritbot added a comment.Jan 17 2024, 4:19 PM

Change 991335 merged by jenkins-bot:

[mediawiki/extensions/Phonos@REL1_40] PhonosButton: use text() instead of append()

https://gerrit.wikimedia.org/r/991335

mmartorana mentioned this in rEPHNb3085aa58a78: PhonosButton: use text() instead of append().Jan 17 2024, 4:19 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 17 2024, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL