I don't know anything about this other than what I can read in [[:enwiki:DOM clobbering]] and the abstract of the cited source (https://ieeexplore.ieee.org/document/10179403), so just opening this to make people aware of the issue.
Description
Description
Details
Details
- Risk Rating
- Low
- Author Affiliation
- Wikimedia Communities
Event Timeline
Comment Actions
The only time they mention wikibooks is:
As a result, we created a proof-of-concept exploit for 44 websites in total, affecting popular sites and functionalities like Trello boards, Wiki pages in WikiBooks and WikiDot, comments in Vimeo and VK, reviews in TripAdvisor and OpenTable, posts inFandom and JustPaste, surveys in SuveryMonkey, poster designs in PosterMyWall, and finally item searches in GitHub Shop, AliExpress, AliBaba and Telam News–to name only a few examples. The exploits enable an attacker to achieve XSS, open redirect, and client-side request forgery in 35, five, and four sites, respectively. We refer interested readers to §A.1 for a few case studies of the confirmed attacks.
But they dont mention wikibooks in section A.1. They also claim they informed affected sites but i haven't seen any other phab tasks about this or about dom clobering at all.
They also claim:
The vulnerabilities and security risks identified in this paper affects 491 websites and 16 sanitizer libraries. We started the process of notifying the affected parties in March 2022 following the best disclosure practices [128, 129], where we prioritized our reports by severity. We sent an initial notification that includes the vulnerability details, or a proof-of-concept exploit, followed by an additional reminder every three weeks to maximize the remediation rate. At the time of preparing the camera-ready, we have notified all affected parties at least once, out of which 72 sites have already confirmed the issues, and 21 sites patched them, such as GitHub, Vimeo, Fandom, TripAdvisor and SuveryMonkey.
So its unclear, what if anything, they found on wikibooks. However i did only skim the paper. Perhaps someone from WMF should email them and ask (assuming there are no messages about this in security@..)
Comment Actions
So reading further, it sounds like the invented a tool - https://github.com/SoheilKhodayari/TheThing to automatically detect dom clibering vulnerable scripts. The tool detected one on wikibooks (given we are talking about wikibooks and not the more famous wikipedia, probably a gadget or site js). They then verified they could insert the relavent markup somewhere.
However just because they could do that does not mean they found something meaningfuly exploitable. More likely, if anything they were able to trigger an error. But we should certainly check ourselves.
Comment Actions
https://en.wikibooks.org/wiki/MediaWiki:Gadget-wikidialog.js has a very obvious dom clobering potential, but also at a glance, not useful for doing anything evil with. Possibly they are just talking about that.
Comment Actions
Update: I've reached out to the two authors of the paper to see if they'll disclose the specific wikibooks (and any other wikimedia) issues to us. I attempted to build out a Docker env to run TheThing, but I've encountered some trouble running the various spidering tools they recommend using prior to the analysis portion of the code. I might continue to play around with it a bit, but it seems to be a somewhat-crufty codebase that hasn't really been updated within two years.