Apex renders the sidebar without any form of escaping. Interface admins or others with access to MediaWiki:Sidebar can exploit this. The issue can be reproduced with code like '><script>alert('sidebar-custom');</script><'.
Description
Description
Details
Details
- Risk Rating
- Low
- Author Affiliation
- Wikimedia Communities
Related Changes in Gerrit:
Related Objects
Related Objects
- Mentioned In
- T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2)
- Mentioned Here
- T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2)
T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar
Event Timeline
Comment Actions
Seeing as the skin is not actively maintained and the original author has been away for a long time now, would the Security Team be able to merge a patch to this?
Also, this is actually the same issue as T361452; are similar cases being tracked anywhere?
Comment Actions
Hi, the Security-Team is happy to review and merge any patch for this issue; however, we do not plan to actively work on developing a patch ourselves.
Thanks
Comment Actions
Hi @mmartorana, apologies for the late reply. To be clear, I was not asking if the Security Team would be willing to develop a patch at all; I just wanted to know if you would be willing to merge it. Anyway, I am glad to hear you are, so here is the patch. Considering this issue requires elevated access, I think pushing this to Gerrit would be fine. Thanks for your time.
Comment Actions
+1 for the specific escape of Sanitizer::escapeIdForAttribute( "p-$name" ) here. Though I didn't review the code to determine if there are any additional XSS sinks at this time...
Comment Actions
Thanks, I have pentested to make sure it's fine. Are you fine with me pushing this to Gerrit now?
Comment Actions
Yes, that's fine. In general, as long as the code isn't bundled or Wikimedia-production-deployed, it's fine to push security fixes publicly and get them merged. We try to (re-)announce issues like this via the supplemental security releases - I've added this issue to the tracking task for the next supplemental release: T368628.
Comment Actions
Change #1064405 had a related patch set uploaded (by R4356thwiki; author: R4356thwiki):
[mediawiki/skins/apex@master] Bug: T370081
Comment Actions
Change #1064405 had a related patch set uploaded (by R4356thwiki; author: R4356thwiki):
[mediawiki/skins/apex@master] SECURITY: Escape MediaWiki:Sidebar before rendering
Comment Actions
Change #1064405 merged by jenkins-bot:
[mediawiki/skins/apex@master] SECURITY: Escape MediaWiki:Sidebar before rendering
Comment Actions
Change #1071635 had a related patch set uploaded (by R4356thwiki; author: R4356thwiki):
[mediawiki/skins/apex@REL1_40] SECURITY: Escape MediaWiki:Sidebar before rendering
Comment Actions
Change #1071635 abandoned by R4356thwiki:
[mediawiki/skins/apex@REL1_40] SECURITY: Escape MediaWiki:Sidebar before rendering
Reason:
Whoops, didn't realise 1.40 is EOL
Comment Actions
Change #1071636 had a related patch set uploaded (by R4356thwiki; author: R4356thwiki):
[mediawiki/skins/apex@REL1_42] SECURITY: Escape MediaWiki:Sidebar before rendering
Comment Actions
Change #1071636 merged by jenkins-bot:
[mediawiki/skins/apex@REL1_42] SECURITY: Escape MediaWiki:Sidebar before rendering