Page MenuHomePhabricator
Create Task
Maniphest T394383

CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
May 15 2025, 9:34 AM
Tags
Referenced Files
F60015362: T394383.diff
May 15 2025, 1:08 PM
F60007374: image.png
May 15 2025, 9:34 AM
F60007316: image.png
May 15 2025, 9:34 AM
F60007250: image.png
May 15 2025, 9:34 AM
F60007175: image.png
May 15 2025, 9:34 AM
F60007052: image.png
May 15 2025, 9:34 AM
F60006844: image.png
May 15 2025, 9:34 AM
Subscribers
Aklapper
BlankEclair
gerritbot
Paladox
RhinosF1
sbassett
SomeRandomDeveloper
View All 9 Subscribers

Description

Multiple system messages are inserted into raw HTML without proper sanitization:

approvedrevs-approvedrevision
https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/ApprovedRevsHooks.php#L1315

  1. Upload a file while ApprovedRevs is enabled
  2. Go to the file page and append ?uselang=x-xss to the end of the URL (example URL: http://localhost:4001/wiki/File:TestFile.jpg?uselang=x-xss)

image.png (234×460 px, 8 KB)

approvedrevs-approver
https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/ApprovedRevsHooks.php#L677

  1. Have the viewapprover permission
  2. Create an article in a namespace in which ApprovedRevs is enabled
  3. Go to the revision history of the article and approve the edit you made while creating the page by clicking on the "approve" link after the edit summary
  4. Go to the article you created and make sure that you are visiting it without the oldid parameter set, e.g. /w/index.php?title=ApprovedRevsTest
  5. Append &uselang=x-xss to the end of the URL (example URL: http://localhost:4001/w/index.php?title=ApprovedRevsTest&uselang=x-xss)

image.png (210×456 px, 11 KB)

approvedrevs-noapprovedrevision
This requires $egApprovedRevsShowNotApprovedMessage = true; in LocalSettings.
https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/ApprovedRevsHooks.php#L1229

  1. Add $egApprovedRevsShowNotApprovedMessage = true; to your LocalSettings.php
  2. Create a page in a namespace in which ApprovedRevs is enabled and make sure that no version of the page is approved
  3. Append ?uselang=x-xss to the end of the URL (example URL: http://localhost:4001/wiki/ApprovedRevsTest3?uselang=x-xss)

image.png (232×636 px, 8 KB)

approvedrevs-view
https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/specials/SpecialApprovedRevs.php#L80

  1. To reproduce this vulnerability, the broken import in line 4 (https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/specials/SpecialApprovedRevs.php#L4) has to be changed from MediaWiki\Lineker\Linker to MediaWiki\Linker\Linker.
  2. Go to Special:ApprovedRevs in your wiki and append ?uselang=x-xss to the end of the URL (example URL: http://localhost:4001/wiki/Special:ApprovedRevs?uselang=x-xss)

image.png (205×469 px, 7 KB)

approvedrevs-approvedby
Some date formatting messages like may_long are also inserted here without sanitization.
https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/specials/SpecialApprovedRevs.php#L222

  1. To reproduce this vulnerability, the broken import in line 4 (https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/bccc58f799c77b3e5b4a17fd49b4d30e6e9981da/includes/specials/SpecialApprovedRevs.php#L4) has to be changed from MediaWiki\Lineker\Linker to MediaWiki\Linker\Linker.
  2. Make sure that there is at least one article in your wiki that has an approved version
  3. Go to Special:ApprovedRevs in your wiki and make sure the show parameter is set to all and the uselang parameter is set to x-xss (example URL: http://localhost:4001/w/index.php?title=Special:ApprovedRevs&show=all&uselang=x-xss)

image.png (214×464 px, 12 KB)

image.png (197×455 px, 23 KB)

Further information
I have tested all of those while being logged in, but most should also work when you're not logged in, depending on the configured user rights.
Browser: Firefox 138.0.1 (64-bit) on Fedora Linux 42
MediaWiki: 1.45.0-alpha (05406ba)
PHP: 8.3.14 (fpm-fcgi)
ApprovedRevs: 2.2.1 (bccc58f) 07:29, 12 May 2025

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Fixed stored XSS through system messagesmediawiki/extensions/ApprovedRevsREL1_43+27 -24
SECURITY: Fixed stored XSS through system messagesmediawiki/extensions/ApprovedRevsREL1_44+28 -25
SECURITY: Fixed stored XSS through system messagesmediawiki/extensions/ApprovedRevsmaster+28 -25
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.May 15 2025, 9:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2025, 9:34 AM
SomeRandomDeveloper added a project: affects-Miraheze.May 15 2025, 9:35 AM
SomeRandomDeveloper added a subscriber: Universal_Omega.
SomeRandomDeveloper added a comment.May 15 2025, 1:08 PM

Patch:

T394383.diff3 KBDownload

SomeRandomDeveloper added a subscriber: BlankEclair.May 15 2025, 1:31 PM

Adding BlankEclair since this extension is deployed on Miraheze

SomeRandomDeveloper added a subscriber: Yaron_Koren.May 15 2025, 8:12 PM
sbassett added subscribers: RhinosF1, sbassett.May 19 2025, 4:34 PM

Similar to my comment in T394612#10835735, the above patch should likely be pushed through gerrit since it isn't Wikimedia-deployed. Unless Miraheze would like to hold the patch until they've patched their production environments.

sbassett edited projects, added SecTeam-Processed, Vuln-XSS; removed Security-Team.May 19 2025, 4:34 PM
RhinosF1 added a subscriber: Paladox.May 19 2025, 4:46 PM
RhinosF1 added a comment.May 19 2025, 4:56 PM
In T394383#10835762, @sbassett wrote:

Similar to my comment in T394612#10835735, the above patch should likely be pushed through gerrit since it isn't Wikimedia-deployed. Unless Miraheze would like to hold the patch until they've patched their production environments.

We're looking at this now, I also PM'd you on IRC a question.

RhinosF1 mentioned this in T394708: Security issue access for Paladox.May 19 2025, 5:14 PM
sbassett signed these changes with MFA.May 19 2025, 5:32 PM
sbassett added a subscriber: gerritbot.
gerritbot added a comment.May 19 2025, 6:17 PM

Change #1147818 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@master] SECURITY: Fixed stored XSS through system messages

https://gerrit.wikimedia.org/r/1147818

gerritbot added a comment.May 19 2025, 6:17 PM

Change #1147832 had a related patch set uploaded (by Paladox; author: SomeRandomDeveloper):

[mediawiki/extensions/ApprovedRevs@REL1_44] SECURITY: Fixed stored XSS through system messages

https://gerrit.wikimedia.org/r/1147832

gerritbot added a project: Patch-For-Review.May 19 2025, 6:17 PM

Change #1147833 had a related patch set uploaded (by Paladox; author: SomeRandomDeveloper):

[mediawiki/extensions/ApprovedRevs@REL1_43] SECURITY: Fixed stored XSS through system messages

https://gerrit.wikimedia.org/r/1147833

gerritbot added a comment.May 19 2025, 6:19 PM

Change #1147832 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@REL1_44] SECURITY: Fixed stored XSS through system messages

https://gerrit.wikimedia.org/r/1147832

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 19 2025, 6:20 PM
gerritbot added a comment.May 19 2025, 6:23 PM

Change #1147833 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@REL1_43] SECURITY: Fixed stored XSS through system messages

https://gerrit.wikimedia.org/r/1147833

Paladox closed this task as Resolved.May 19 2025, 6:24 PM
Paladox assigned this task to SomeRandomDeveloper.
SomeRandomDeveloper added a comment.Jul 1 2025, 9:58 AM

Can this be made public / assigned a CVE?

sbassett added a comment.Jul 1 2025, 12:36 PM
In T394383#10962357, @SomeRandomDeveloper wrote:

Can this be made public / assigned a CVE?

It's currently in the process of being released with T389312, which should be due out sometime this week. It will get a CVE and be made public during that process.

mmartorana renamed this task from Stored XSS through system messages in Extension:ApprovedRevs to CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs.Jul 8 2025, 5:38 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".
A_smart_kitten added a project: MediaWiki-extensions-Approved-Revs.Jul 10 2025, 7:27 AM
A_smart_kitten subscribed.
A_smart_kitten unsubscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits