Page MenuHomePhabricator
Create Task
Maniphest T361452

CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar
Closed, ResolvedPublicSecurity
Actions

Description

Top-level menu entries from MediaWiki:Sidebar are not properly escaped in the MediaWiki-skins-Foreground skin, resulting in classic stored XSS. The output of Sanitizer::escapeIdForAttribute is not HTML-safe, but the skin incorrectly assumes it is.

Minimal test case:

  1. As an (interface) administrator or other similarly privileged (editinterface) user, create a top level menu entry "named" '><script>alert('XSS')</script><' in MediaWiki:Sidebar (note that the payload is slightly different than the ones in T361448, T361449, T361450 given that Foreground uses single quotes for the element attributes, not double)
  2. Load a page with the Foreground skin

Expected result:
No alert.

Actual result:
The alertruns.

Proposed & tested patch:

diff --git a/includes/ForegroundTemplate.php b/includes/ForegroundTemplate.php
index 429f362..5eac8c6 100644
--- a/includes/ForegroundTemplate.php
+++ b/includes/ForegroundTemplate.php
@@ -106,7 +106,7 @@ class ForegroundTemplate extends BaseTemplate {
                        <ul id="top-bar-left" class="left">
                                <li class="divider show-for-small"></li>
                                <?php foreach ( $this->getSidebar() as $boxName => $box ) { if ( ( $box['header'] != wfMessage( 'toolbox' )->text() ) ) { ?>
-                                       <li class="has-dropdown active"  id='<?php echo Sanitizer::escapeIdForAttribute( $box['id'] ) ?>'<?php echo Linker::tooltip( $box['id'] ) ?>>
+                                       <li class="has-dropdown active"  id='<?php echo htmlspecialchars( Sanitizer::escapeIdForAttribute( $box['id'] ), ENT_QUOTES ) ?>'<?php echo Linker::tooltip( $box['id'] ) ?>>
                                                <a href="#"><?php echo htmlspecialchars( $box['header'] ); ?></a>
                                                <?php if ( is_array( $box['content'] ) ) { ?>
                                                        <ul class="dropdown">

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Escape id attribute in sidebar headersmediawiki/skins/ForegroundREL1_41+1 -1
Escape id attribute in sidebar headersmediawiki/skins/Foregroundmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Mar 31 2024, 9:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2024, 9:25 PM
ashley added projects: Vuln-XSS, MediaWiki-skins-Foreground.Mar 31 2024, 9:25 PM
ashley added a subscriber: Samwilson.

CC'ing @Samwilson since you've recently committed to this repository with significant contributions.

Samwilson added a comment.Apr 1 2024, 2:09 AM

Thanks!

I've made a patch: https://gerrit.wikimedia.org/r/c/mediawiki/skins/Foreground/+/1015658

Anyone with write access to MediaWiki:Sidebar also can do what they want with MediaWiki:Common.js so it looks like this bug is not very easy to exploit.

sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:56 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 2 2024, 6:00 PM
sbassett subscribed.

Since this skin isn't deployed or bundled, the vulnerability (and hopefully merged patch) will be (re)announced via the next supplemental security release: T361321.

sbassett added a project: security-bug.Apr 2 2024, 7:00 PM
Samwilson mentioned this in rSFOR0bb47d072645: Escape id attribute in sidebar headers.Apr 3 2024, 6:54 PM
Bawolff subscribed.Apr 3 2024, 9:12 PM

Anyone with write access to MediaWiki:Sidebar also can do what they want with MediaWiki:Common.js so it looks like this bug is not very easy to exploit.

You should need different rights to edit the sidebar then common.js (In WMF config, sysop vs interface-admin)

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 3 2024, 9:12 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett triaged this task as Medium priority.Apr 3 2024, 9:16 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed Risk Rating from N/A to Medium.
Samwilson added a comment.Apr 4 2024, 2:45 AM

You should need different rights to edit the sidebar then common.js (In WMF config, sysop vs interface-admin)

True, but that's not the case by default.

Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.

I guess the better fix here is for Foreground to not construct HTML directly, but use the Html class.

sbassett added a comment.EditedApr 4 2024, 4:25 PM
In T361452#9686743, @Samwilson wrote:

Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.

Looking at escapeIdInternal() within Sanitizer.php, it seems like it's purely focused on what the various html specs allow which, sadly, might not perfectly align with security best-practices. For example, it's not doing anything to prevent DOM-clobbering or filter url schemes or anything else that would likely be a security best-practice for html attributes.

I guess the better fix here is for Foreground to not construct HTML directly, but use the Html class.

Yes. Building html manually by constructing large, dynamic strings is always pretty dangerous, even for very experienced developers.

ashley mentioned this in T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.Apr 7 2024, 10:45 PM
gerritbot added a comment.Jul 3 2024, 2:49 PM

Change #1051779 had a related patch set uploaded (by Mmartorana; author: Samwilson):

[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers

https://gerrit.wikimedia.org/r/1051779

gerritbot added a project: Patch-For-Review.Jul 3 2024, 2:49 PM
gerritbot added a comment.Jul 4 2024, 1:44 AM

Change #1051779 merged by jenkins-bot:

[mediawiki/skins/Foreground@REL1_41] Escape id attribute in sidebar headers

https://gerrit.wikimedia.org/r/1051779

mmartorana mentioned this in rSFORaff3b2e7aec0: Escape id attribute in sidebar headers.Jul 4 2024, 1:44 AM
Bawolff added a comment.EditedJul 4 2024, 5:55 AM
In T361452#9686743, @Samwilson wrote:

Also, why is escapeIdForAttribute() "not guaranteed to be HTML safe"? What other ID attribute is it intended for, that needs to be able to contain angle brackets etc.? Is it because some XML dialects permit more characters in IDs than HTML does? It looks like a bunch of skins are doing similar things to Foreground here, so it does seem a confusingly named function.

I think the intention is to remove characters not allowed after the # in a url (or equivalently not allowed to be an id per spec)

Historically this was pretty restrictive. HTML5 is much less strict so it is less of an issue now. The definition in html4 ( https://www.w3.org/TR/html4/types.html#h-6.2 ), XML/XHTML ( https://www.w3.org/TR/xml/#NT-NameStartChar ) and html5 are all different ( https://html.spec.whatwg.org/multipage/dom.html#global-attributes:the-id-attribute-2 )

Samwilson closed this task as Resolved.Jul 5 2024, 5:53 AM
Samwilson claimed this task.

That makes sense.

I started looking into other skins that might have this same issue, and will try to raise tasks for them (although it looks like some are unmaintained and it's probably not worth it).

mmartorana renamed this task from Foreground skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.Jul 8 2024, 5:36 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 7:59 PM
Redmin mentioned this in T370081: CVE-2024-47840: Stored XSS through sidebar in Apex skin.Jul 15 2024, 5:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits