Page MenuHomePhabricator
Create Task
Maniphest T384269

CVE-2025-32078: XSSes and potential RCE in Special:VersionCompare
Closed, ResolvedPublicSecurity
Actions

Description

For XSS:

  1. Upload the following to a public file host:
{
  "query": {
    "general": {
      "wikiid": "<script>alert('malicious wikiid, line 194/204')</script>",
      "servername": "<script>alert('malicious servername, line 197/207')</script>",
      "generator": "<script>alert('malicious generator, line 310')</script>"
    },
    "extensions": [
      {
        "name": "<script>alert('malicious extension name, line 292')</script>"
      }
    ]
  }
}
  1. Set the system message version-compare-no-version to no version<script>window.vcnvWarn = window.vcnvWarn || alert("version-compare-no-version") || true</script>
  2. Set the system message version-compare-same-extension-count-label to Count of extensions and skins on both wikis<script>alert("version-compare-same-extension-count-label")</script>
  3. Go to Special:VersionCompare, put in a wiki's API URL in one field and the uploaded file URL in the other, and submit the form

For RCE:
This is untested, but it seems possible. file_get_contents() is called with unsanitised user input (albeit with "junk" appended at the end): https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/VersionCompare/+/refs/heads/master/includes/SpecialVersionCompare.php#108

The function supports a wide array of protocols: https://www.php.net/manual/en/wrappers.php

While this isn't the default PHP configuration, if the PHP server has the expect extension installed, then it can be used for executing shell commands: https://www.depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection/
Alternatively, since there are the zlib:// and bzip2:// protocols (that also document zip://), one could use a decompression bomb, such as https://www.bamsoftware.com/hacks/zipbomb/

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Address potential XSS and RCEmediawiki/extensions/VersionCompareREL1_43+42 -38
Address potential XSS and RCEmediawiki/extensions/VersionCompareREL1_41+42 -38
Address potential XSS and RCEmediawiki/extensions/VersionCompareREL1_42+42 -38
Address potential XSS and RCEmediawiki/extensions/VersionCompareREL1_40+42 -38
Address potential XSS and RCEmediawiki/extensions/VersionCompareREL1_39+42 -38
Address potential XSS and RCEmediawiki/extensions/VersionComparemaster+42 -38
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Jan 21 2025, 4:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 21 2025, 4:25 AM
BlankEclair claimed this task.Jan 21 2025, 4:26 AM
BlankEclair added projects: Vuln-XSS, MediaWiki-extensions-VersionCompare.
BlankEclair added a subscriber: cicalese.
BlankEclair added a comment.Jan 21 2025, 5:09 AM

T384269.patch5 KBDownload

Lucas_Werkmeister_WMDE subscribed.Jan 21 2025, 9:41 AM

Hm, I thought we had a better way to make MediaWiki API requests from within MediaWiki, but API:Calling internally only applies to internal calls to the same wiki, and MediaWikiPageNameNormalizer::normalizePageName() also uses HttpRequestFactory. So I guess the attached patch is fine as far as the API call goes.

The Html::element() conversions also look fine to me at a glance, but the patch should probably still be reviewed and/or tested by someone who knows the extension ^^

sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 21 2025, 4:33 PM
sbassett added a project: SecTeam-Processed.
cicalese added a comment.Jan 22 2025, 8:14 PM

Thank you very much for submitting this task and the patch, @BlankEclair.

cicalese mentioned this in rEVRC7bbc97701a33: Address potential XSS and RCE.Jan 22 2025, 8:25 PM
cicalese mentioned this in rEVRC134de15da859: Address potential XSS and RCE.Jan 22 2025, 8:29 PM
cicalese mentioned this in rEVRCdf0bf4291226: Address potential XSS and RCE.
cicalese mentioned this in rEVRC03fefe52be79: Address potential XSS and RCE.Jan 22 2025, 8:32 PM
cicalese mentioned this in rEVRCf1fe7a60f2f8: Address potential XSS and RCE.
cicalese mentioned this in rEVRC75d5f626dcdd: Address potential XSS and RCE.Jan 22 2025, 8:38 PM
cicalese closed this task as Resolved.Jan 22 2025, 8:40 PM
sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Jan 24 2025, 4:42 PM
sbassett added a subscriber: gerritbot.
cicalese moved this task from Backlog to Closed on the MediaWiki-extensions-VersionCompare board.Jan 24 2025, 7:31 PM
Mstyles renamed this task from XSSes and potential RCE in Special:VersionCompare to CVE-2025-32078: XSSes and potential RCE in Special:VersionCompare.Apr 11 2025, 5:02 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits