Page MenuHomePhabricator
Create Task
Maniphest T360407

i18n XSS vulnerability in message 'readinglists-error'
Closed, ResolvedPublicSecurity
Actions

Description

Discovered with $wgUseXssLanguage.

To reproduce:

Visit Special:ReadingLists with ?uselang=x-xss

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Change message format for 'readinglists-error'mediawiki/extensions/ReadingListsmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

jhsoby created this task.Mar 19 2024, 9:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2024, 9:36 AM
jhsoby added projects: MediaWiki-extensions-ReadingLists, Vuln-XSS.Mar 19 2024, 9:37 AM
jhsoby added a comment.Mar 19 2024, 9:40 AM

Patch that should fix this:

diff --git a/src/SpecialReadingLists.php b/src/SpecialReadingLists.php
index 1e71c78..ad1cb6b 100644
--- a/src/SpecialReadingLists.php
+++ b/src/SpecialReadingLists.php
@@ -25,7 +25,7 @@ class SpecialReadingLists extends UnlistedSpecialPage {
 		$out->addModules( [ 'special.readinglist.scripts' ] );
 		$out->setPageTitleMsg( $this->msg( 'readinglists-special-title' ) );
 		$html = Html::errorBox(
-			$this->msg( 'readinglists-error' )->text(),
+			$this->msg( 'readinglists-error' )->parse(),
 			'',
 			'reading-list__errorbox'
 		);

Is this ok to upload via Gerrit?

jhsoby added a comment.Mar 19 2024, 1:57 PM

The above patch as a file:

T360407.patch1 KBDownload

Lucas_Werkmeister_WMDE subscribed.Mar 19 2024, 1:59 PM
In T360407#9642024, @jhsoby wrote:

The above patch as a file:

T360407.patch1 KBDownload

Looks good to me, CR+1.

sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 19 2024, 2:37 PM
sbassett added projects: SecTeam-Processed, Patch-For-Review.
sbassett subscribed.
In T360407#9642024, @jhsoby wrote:

The above patch as a file:

T360407.patch1 KBDownload

CR+1. IMO, this is low-risk enough to just go through gerrit and hopefully ride next week's train.

sbassett added a subscriber: gerritbot.Mar 19 2024, 2:37 PM
jhsoby added a comment.Mar 22 2024, 7:24 AM

@sbassett If I submit it via Gerrit, should I do so with the same commit message as in the patch above (including the "SECURITY:" tag and mention of XSS vulnerability), or should I be more vague?

sbassett added a comment.Mar 22 2024, 2:01 PM
In T360407#9653067, @jhsoby wrote:

@sbassett If I submit it via Gerrit, should I do so with the same commit message as in the patch above (including the "SECURITY:" tag and mention of XSS vulnerability), or should I be more vague?

I don't think it's required to use the SECURITY: prefix in this case. In most cases, we've considered these Message API sanitizations to be low-risk and have just done them publicly in gerrit (see T2212 and subtasks) as one would still need int-admin rights or to find some bypass of translatewiki.net to exploit them.

Lucas_Werkmeister_WMDE added a comment.Mar 23 2024, 11:57 AM
In T360407#9654079, @sbassett wrote:

as one would still need int-admin rights or to find some bypass of translatewiki.net to exploit them.

I don’t think that’s quite right? You only need sysop rights to exploit these, and they effectively allow sysops to escalate to interface-admin. (Non-JS pages in the MediaWiki namespace require editinterface, which is granted to sysops; interface admins additionally have editsitejs.)

sbassett added a comment.Mar 25 2024, 1:37 PM
In T360407#9655873, @Lucas_Werkmeister_WMDE wrote:

I don’t think that’s quite right? You only need sysop rights to exploit these, and they effectively allow sysops to escalate to interface-admin. (Non-JS pages in the MediaWiki namespace require editinterface, which is granted to sysops; interface admins additionally have editsitejs.)

Ah, ok. As long as it still requires elevated privileges to actually edit affected messages, then I would still consider it to be low-risk to fix most of these types of XSSes publicly.

gerritbot added a comment.Mar 26 2024, 3:51 PM

Change #1014541 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/ReadingLists@master] Change message format for 'readinglists-error'

https://gerrit.wikimedia.org/r/1014541

gerritbot added a comment.Aug 21 2024, 7:49 PM

Change #1014541 merged by jenkins-bot:

[mediawiki/extensions/ReadingLists@master] Change message format for 'readinglists-error'

https://gerrit.wikimedia.org/r/1014541

Jdlrobson-WMF triaged this task as High priority.Jan 31 2025, 5:46 PM
Jdlrobson-WMF subscribed.

@sbassett can this be resolved?

sbassett closed this task as Resolved.Jan 31 2025, 6:15 PM
sbassett assigned this task to jhsoby.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett removed a project: Patch-For-Review.
In T360407#10512844, @Jdlrobson-WMF wrote:

@sbassett can this be resolved?

Yes.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 31 2025, 6:16 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
jhsoby mentioned this in T403411: CVE-2025-61644: i18n XSS through Special:Watchlist.Sep 1 2025, 4:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits