Page MenuHomePhabricator
Create Task
Maniphest T361453

CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar
Closed, ResolvedPublicSecurity
Actions

Description

Top-level menu entries from MediaWiki:Sidebar are not properly escaped in the BlueLL skin (Lingua-Libre), resulting in classic stored XSS. The output of Sanitizer::escapeIdForAttribute is not HTML-safe, but the skin incorrectly assumes it is.

Minimal test case:

  1. As an (interface) administrator or other similarly privileged (editinterface) user, create a top level menu entry "named" "><script>alert('XSS')</script>< in MediaWiki:Sidebar
  2. Load a page with the BlueLL skin

Expected result:
No alert.

Actual result:
The alert runs.

Proposed & tested patch:

diff --git a/BlueLL.skin.php b/BlueLL.skin.php
index 71804c2..3fc9d78 100755
--- a/BlueLL.skin.php
+++ b/BlueLL.skin.php
@@ -86,7 +86,7 @@ class BlueLLTemplate extends BaseTemplate {
 
                                        <div id="top-bar-bottom-menu">
                                                <?php foreach ( $this->getSidebar() as $boxName => $box ) { if ( $box['header'] != wfMessage( 'toolbox' )->text() && $box['id'] != 'p-lang'  ) { ?>
-                                                       <ul id="<?php echo Sanitizer::escapeIdForAttribute( $box['id'] ) ?>"<?php echo Linker::tooltip( $box['id'] ) ?>>
+                                                       <ul id="<?php echo htmlspecialchars( Sanitizer::escapeIdForAttribute( $box['id'] ), ENT_QUOTES ) ?>"<?php echo Linker::tooltip( $box['id'] ) ?>>
                                                                <?php if ( is_array( $box['content'] ) ) { ?>
                                                                <?php foreach ( $box['content'] as $key => $item ) { echo $this->makeListItem( $key, $item ); } ?>
                                                                <?php } } ?>

Related Objects

Event Timeline

ashley created this task.Mar 31 2024, 9:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2024, 9:50 PM
ashley added projects: Vuln-XSS, Lingua-Libre.Mar 31 2024, 9:51 PM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:56 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 2 2024, 6:00 PM
sbassett subscribed.

Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.

sbassett added a project: security-bug.Apr 2 2024, 6:59 PM
Bawolff added a subscriber: Yug.Apr 3 2024, 9:15 PM
mmartorana renamed this task from BlueLL skin: stored XSS via MediaWiki:Sidebar to CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.Jul 8 2024, 5:37 PM
mmartorana subscribed.Jul 9 2024, 8:16 AM

A pull request for this patch has been submitted on github: https://github.com/lingua-libre/BlueLL/pull/18

mmartorana closed this task as Resolved.Jul 10 2024, 8:51 AM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits