Page MenuHomePhabricator

CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar
Closed, ResolvedPublicSecurity

Description

Top-level menu entries from MediaWiki:Sidebar are not properly escaped in the MediaWiki-skins-GuMaxDD skin, resulting in classic stored XSS.

Minimal test case:

  1. As an (interface) administrator or other similarly privileged (editinterface) user, create a top level menu entry "named" "><script>alert('XSS')</script> in MediaWiki:Sidebar
  2. Load a page with the GuMaxDD skin

Expected result:
No alert.

Actual result:
The alertruns not once but twice (!).

Proposed & tested patch:

diff --git a/GuMaxDD.skin.php b/GuMaxDD.skin.php
index 52c4997..d9bfa89 100644
--- a/GuMaxDD.skin.php
+++ b/GuMaxDD.skin.php
@@ -302,7 +302,7 @@ class GuMaxDDTemplate extends BaseTemplate {
                                default:
                                        $out = $skin->msg( $bar );
                                        if ( $out->isDisabled() ) {
-                                               $txtOut = $bar;
+                                               $txtOut = htmlspecialchars( $bar, ENT_QUOTES );
                                        } else {
                                                $txtOut = $out->escaped();
                                        }
@@ -315,7 +315,7 @@ class GuMaxDDTemplate extends BaseTemplate {
                                // "in other languages" menu on NS_SPECIAL and that'd be ugly.
                                if ( $txtOut && !( $isSpecial && $bar === 'LANGUAGES' ) ) {
 ?>
-                       <li><a class="gumax-nav-heading gumax-nav-heading-<?php echo mb_strtolower( Sanitizer::escapeIdForAttribute( $bar ) ) ?>" href="#"><?php echo $txtOut; ?> &raquo;</a>
+                       <li><a class="gumax-nav-heading gumax-nav-heading-<?php echo mb_strtolower( htmlspecialchars( Sanitizer::escapeIdForAttribute( $bar ), ENT_QUOTES ) ) ?>" href="#"><?php echo $txtOut; ?> &raquo;</a>
 <?php
                        # XXX JaTu fix
                        if ( $bar == 'SEARCH' ) { ?>

Event Timeline

sbassett edited projects, added SecTeam-Processed; removed Security-Team.
sbassett subscribed.

Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".

Change #1051769 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/GuMaxDD@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051769

Change #1051770 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/GuMaxDD@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051770

Change #1051771 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/skins/GuMaxDD@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051771

Change #1051770 abandoned by Umherirrender:

[mediawiki/skins/GuMaxDD@REL1_40] SECURITY: avoid stored XSS via MediaWiki:Sidebar

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051770

Change #1051771 merged by jenkins-bot:

[mediawiki/skins/GuMaxDD@REL1_39] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051771

Change #1051769 merged by jenkins-bot:

[mediawiki/skins/GuMaxDD@REL1_41] SECURITY: avoid stored XSS via MediaWiki:Sidebar

https://gerrit.wikimedia.org/r/1051769

mmartorana renamed this task from GuMaxDD skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.Jul 8 2024, 5:35 PM