Page MenuHomePhabricator
Create Task
Maniphest T369486

CVE-2024-47841: Path traversal when loading stylesheets from /w/skins/ can load files outside of /w/skins/
Closed, ResolvedPublicSecurity
Actions

Description

Steps to reproduce:

  1. Install MediaWiki
  2. Install Extension:CSS
  3. Save the following into the page CSS/Path traversal/styles.css:
.purple {
    width: 500px;
    height: 500px;
    background-color: purple;
}
  1. Save the following into the page CSS/Path traversal:
{{#css: /..\index.php?title=CSS/Path traversal/styles.css&action=raw&ctype=text/css}}<!--
--><div class="purple"></div>

Expected behavior:
The HTML output to the browser would be <!-- Invalid/malicious path -->

Actual behavior:
The HTML sent includes the URL, which loads CSS from the /styles.css page.

Versions:

  • MediaWiki: 1.42.1 (8a2dc91); 06:43, 4 July 2024
  • CSS: 3.5.0 (6becec9) 03:47, 20 June 2024

Miscellaneous information:
Screenshot:

Screenshot 2024-07-08 at 18-24-02 CSS_Path traversal - [...].png (1×3 px, 311 KB)

The extension attempts to check if the URL is on the correct path, and uses wfExpandUrl to normalize the URL (CSS.class.php line 47). Compliant URL parsers would treat the backslash alone, but in practice, browsers would silently convert backslashes into slashes.

Details

Risk Rating
High
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Workaround path traversal abusing backslashesmediawiki/extensions/CSSREL1_39+9 -1
SECURITY: Workaround path traversal abusing backslashesmediawiki/extensions/CSSREL1_42+9 -1
SECURITY: Workaround path traversal abusing backslashesmediawiki/extensions/CSSmaster+9 -1
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Jul 8 2024, 8:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 8 2024, 8:32 AM
BlankEclair added a project: MediaWiki-extensions-CSS.Jul 8 2024, 8:32 AM
BlankEclair added subscribers: GICodeWarrior, Nad.
RhinosF1 added a project: affects-Miraheze.Jul 8 2024, 8:39 AM
RhinosF1 added subscribers: OriginalAuthority, AllUsernamesArePicked, Reception123, TheVoidwalker.
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptJul 8 2024, 8:39 AM
Bawolff awarded a token.Jul 8 2024, 9:02 AM
Bawolff subscribed.EditedJul 8 2024, 9:12 AM

Nice find.

I wonder if core wfExpandUrl() should be changed to match https://url.spec.whatwg.org/#url-parsing . I think the way extension:CSS is currently written is risky, and should use wfParseUrl instead regardless (to follow a parse and deserialize pattern instead of a validation pattern) however core mediawiki does seem at least partially at fault here.

BlankEclair added a comment.EditedJul 8 2024, 9:23 AM

Huh, I didn't know that there's a living standard for URLs! I guess my statement about compliant URL parsers might be wrong since MediaWiki isn't complying with it.

I initially thought that wfExpandUrl was technically not incorrect, but I suppose in this circumstance it is. Perhaps both fixes could be done.

Mstyles added a project: Vuln-Misconfiguration.Jul 8 2024, 4:16 PM
Mstyles changed Risk Rating from N/A to High.
BlankEclair added a comment.Jul 9 2024, 6:55 AM

For checking if $url is relative to $base, I suppose we could check for all three conditions:

  • $url's origin (scheme, domain, port) is equal to $base's
  • $url's path starts with $base's path with trailing slashses stripped, and appended to "/"
  • $url's search starts with $base's

This should be reasonable to expect. However, it appears that we'll need to use our own parser or modify MediaWiki's, because:

> docker compose exec mediawiki php maintenance/run.php shell
PHP Notice:  Writing to directory /.config/psysh is not allowed. in /var/www/html/w/vendor/psy/psysh/src/ConfigPaths.php on line 327
Psy Shell v0.12.4 (PHP 8.1.20 — cli) by Justin Hileman
> $wgStylePath
= "/w/skins"

> wfParseUrl($wgStylePath)
= false
BlankEclair added a comment.Jul 9 2024, 7:17 AM

I want to try to update MediaWiki's URL parser to the standard. I've searched for wfExpandUrl and UrlUtils on Phab, and couldn't find anything related to it. Should the bug report about wfExpandUrl/UrlUtils::expand be public, or should it be fixed here privately?

Mstyles moved this task from Incoming to In Progress on the Security-Team board.Jul 10 2024, 8:47 PM
Bawolff added a comment.Jul 10 2024, 10:58 PM

I was thinking you could maybe use wfAssembleUrl(), and that passing it through that would cause questionable characters like \ to be escaped when re-assembling, but it seems like that is not the case, and wfAssembleUrl has the same problem as the other functions.

GICodeWarrior added a comment.Aug 2 2024, 4:42 AM

I wrote the first versions of wfRemoveDotSegments and wfAssembleUrl for reasons like this, but that was back in 2011 and based on the RFC available at the time. It seems these have not aged well.
https://static-bugzilla.wikimedia.org/bug32168.html

Mstyles subscribed.Aug 19 2024, 4:15 PM

@BlankEclair any updates on updating the URL parser?

BlankEclair added a comment.Aug 20 2024, 7:33 AM

I'm not sure whether or not I should ship a better parser in MediaWiki core and have the extension use that, or if I should ship the spec-compliant parser in the extension, or I should replace \ with / and call it a day.

sbassett subscribed.Aug 20 2024, 1:53 PM
In T369486#10076383, @BlankEclair wrote:

I'm not sure whether or not I should ship a better parser in MediaWiki core and have the extension use that, or if I should ship the spec-compliant parser in the extension, or I should replace \ with / and call it a day.

IMO, the first option is ideal, as there actually seems to be an issue with some of core's url-parsing functions, while the latter two are probably far more convenient and easy to do. I'm not sure any of these are "wrong", per se.

BlankEclair claimed this task.Aug 23 2024, 7:08 AM
BlankEclair added a project: Patch-For-Review.

I'm busy lately, so I'll do the \ -> / method and will leave the URL parser rewrite to some other person who wants to tackle this (if there are any).

T369486.patch1 KBDownload

Mstyles added a comment.Aug 26 2024, 4:21 PM

@BlankEclair since this is not deployed on WMF production it can be pushed through Gerrit and noted in the supplemental release. We can also hold for supplemental release and apply the patch then, but I don't recommend that.

BlankEclair added a comment.Aug 27 2024, 7:18 AM

Patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CSS/+/1067223

Urbanecm changed the visibility from "Custom Policy" to "Custom Policy".Aug 27 2024, 7:38 AM
BlankEclair closed this task as Resolved.Aug 27 2024, 7:43 AM
BlankEclair removed a project: Patch-For-Review.

Patch merged

RhinosF1 added a comment.Aug 27 2024, 11:15 AM

@Mstyles: can you add this to the supplemental and seek CVE record?

RhinosF1 reopened this task as Open.Aug 27 2024, 11:16 AM

Reopen so security see at triage

gerritbot added a comment.Aug 27 2024, 11:42 AM

Change #1067324 had a related patch set uploaded (by Alejandro Alcaide; author: BlankEclair):

[mediawiki/extensions/CSS@REL1_42] SECURITY: Workaround path traversal abusing backslashes

https://gerrit.wikimedia.org/r/1067324

gerritbot added a comment.Aug 27 2024, 11:48 AM

Change #1067324 merged by jenkins-bot:

[mediawiki/extensions/CSS@REL1_42] SECURITY: Workaround path traversal abusing backslashes

https://gerrit.wikimedia.org/r/1067324

sbassett moved this task from In Progress to Incoming on the Security-Team board.Aug 27 2024, 3:35 PM
Mstyles closed this task as Resolved.Aug 30 2024, 12:46 AM
Mstyles mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).
Mstyles moved this task from Incoming to Our Part Is Done on the Security-Team board.

I added to the supplemental release so I'll go ahead and close it. If there's anything else, please reopen.

BlankEclair added a subscriber: Universal_Omega.Sep 11 2024, 7:13 AM
BlankEclair changed Author Affiliation from N/A to Wikimedia Communities.Oct 2 2024, 3:02 AM
RhinosF1 added a comment.Oct 3 2024, 10:25 AM

@Mstyles @sbassett: any reason this can't be public

sbassett added a comment.Oct 3 2024, 4:13 PM
In T369486#10199001, @RhinosF1 wrote:

@Mstyles @sbassett: any reason this can't be public

Nope. It should be out with the next supplemental release, which should hopefully come out very early next week.

sbassett triaged this task as Low priority.Oct 3 2024, 4:13 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Mstyles renamed this task from Path traversal when loading stylesheets from /w/skins/ can load files outside of /w/skins/ to CVE-2024-47841: Path traversal when loading stylesheets from /w/skins/ can load files outside of /w/skins/.Oct 5 2024, 1:03 AM
Redmin mentioned this in T401526: CVE-2026-0669: Path Traversal vulnerability in CSS extension on certain web servers.Aug 9 2025, 11:14 AM
gerritbot added a comment.Oct 27 2025, 7:39 PM

Change #1199055 had a related patch set uploaded (by SomeRandomDeveloper; author: BlankEclair):

[mediawiki/extensions/CSS@REL1_39] SECURITY: Workaround path traversal abusing backslashes

https://gerrit.wikimedia.org/r/1199055

gerritbot added a project: Patch-For-Review.Oct 27 2025, 7:39 PM
SomeRandomDeveloper subscribed.Oct 27 2025, 7:42 PM
gerritbot added a comment.Oct 29 2025, 1:12 PM

Change #1199055 merged by jenkins-bot:

[mediawiki/extensions/CSS@REL1_39] SECURITY: Workaround path traversal abusing backslashes

https://gerrit.wikimedia.org/r/1199055

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits