Page MenuHomePhabricator
Create Task
Maniphest T394612

CVE-2025-7057: Stored XSS through a system message in Extension:Quiz
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
May 18 2025, 8:32 PM
Tags
Referenced Files
F61293692: 01-T394612.patch
Jun 2 2025, 9:47 PM
F60191872: Quiz.diff
May 18 2025, 8:32 PM
F60191809: image.png
May 18 2025, 8:32 PM
F60191803: image.png
May 18 2025, 8:32 PM
Subscribers
Aklapper
Bawolff
BlankEclair
gerritbot
Mstyles
Paladox
RhinosF1
View All 10 Subscribers

Description

In the Quiz extension, the quiz-ignore-coef system message is inserted into raw HTML unescaped, allowing JavaScript to be executed.

Reproduction steps:

  1. Edit MediaWiki:quiz-ignore-coef and replace it with (or add) <script>alert("hi!")</script>
  2. Visit a page with a quiz

image.png (204×476 px, 6 KB)

I'm not sure which quizzes exactly display this message, so here is the example quiz I used:

<quiz>
{Question
|type="()"}
+ The correct answer.
- Distractor.
- Distractor.
- Distractor.
</quiz>

Alternatively:

  • Make sure wgUseXssLanguage is set to true
  • Go to a page with a quiz and append ?uselang=x-xss to the URL

image.png (215×427 px, 11 KB)

Explanation

The message is provided to the template using the text() output mode and then inserted unescaped.

Additional Information

  • MediaWiki: 1.45.0-alpha (82464ab)
  • PHP: 8.3.14 (fpm-fcgi)
  • Quiz: 1.2.1 (975271a)
  • Browser: Firefox 138.0.3 (64-bit) on Fedora Linux 42

Details

Risk Rating
Low
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Properly escape the quiz-ignore-coef system messagemediawiki/extensions/QuizREL1_42+3 -4
SECURITY: Properly escape the quiz-ignore-coef system messagemediawiki/extensions/QuizREL1_44+3 -4
SECURITY: Properly escape the quiz-ignore-coef system messagemediawiki/extensions/QuizREL1_43+3 -4
SECURITY: Properly escape the quiz-ignore-coef system messagemediawiki/extensions/QuizREL1_39+3 -4
SECURITY: Properly escape the quiz-ignore-coef system messagemediawiki/extensions/Quizmaster+3 -4
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.May 18 2025, 8:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 18 2025, 8:32 PM
SomeRandomDeveloper claimed this task.May 18 2025, 8:32 PM

Patch:

Quiz.diff1 KBDownload

SomeRandomDeveloper added a comment.May 18 2025, 8:34 PM

I could not find the maintainer of this extension, "lrbabe", on Phabricator, so I'm not sure who I could add here.

SomeRandomDeveloper renamed this task from Stored XSS through system messages in Extension:Quiz to Stored XSS through a system message in Extension:Quiz.May 18 2025, 8:35 PM
SomeRandomDeveloper added a project: affects-Miraheze.May 18 2025, 8:49 PM
SomeRandomDeveloper added subscribers: Universal_Omega, BlankEclair.
BlankEclair added a project: Vuln-XSS.May 18 2025, 9:03 PM
Aklapper added a project: MediaWiki-extensions-Quiz.May 18 2025, 9:31 PM
In T394612#10833079, @SomeRandomDeveloper wrote:

I could not find the maintainer of this extension, "lrbabe", on Phabricator, so I'm not sure who I could add here.

That's the author, not necessarily maintainer?

SomeRandomDeveloper added a comment.May 18 2025, 9:37 PM
In T394612#10833141, @Aklapper wrote:
In T394612#10833079, @SomeRandomDeveloper wrote:

I could not find the maintainer of this extension, "lrbabe", on Phabricator, so I'm not sure who I could add here.

That's the author, not necessarily maintainer?

True. In a lot of other extensions, the author mentioned on mediawiki.org or in extension.json is the maintainer, so I assumed that would be the case this time as well.

Bawolff subscribed.May 19 2025, 2:40 PM

Another case where mustache prevents phan-taint-check from detecting the issue

sbassett subscribed.May 19 2025, 2:58 PM
In T394612#10833079, @SomeRandomDeveloper wrote:

I could not find the maintainer of this extension, "lrbabe", on Phabricator, so I'm not sure who I could add here.

Many extensions like this aren't really maintained at this point, and potentially aren't even used by any external MediaWiki operators. Though we don't really have a great way to verify any information like this.

sbassett added a subscriber: gerritbot.May 19 2025, 4:29 PM
In T394612#10833075, @SomeRandomDeveloper wrote:

Patch:

Quiz.diff1 KBDownload

This looks reasonable to me. This should likely just get pushed through gerrit for public review since it's not bundled or Wikimedia-deployed. This can be done now or closer to the end of our quarter (2025-05-30) when we'll issue the next supplemental security release (T389312).

sbassett edited projects, added SecTeam-Processed; removed Security-Team.May 19 2025, 4:30 PM
sbassett mentioned this in T394383: CVE-2025-53487: Stored XSS through system messages in Extension:ApprovedRevs.May 19 2025, 4:34 PM
RhinosF1 added a subscriber: Paladox.May 19 2025, 4:46 PM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptMay 19 2025, 4:46 PM
SomeRandomDeveloper added a comment.May 19 2025, 4:57 PM
In T394612#10835735, @sbassett wrote:
In T394612#10833075, @SomeRandomDeveloper wrote:

Patch:

Quiz.diff1 KBDownload

This looks reasonable to me. This should likely just get pushed through gerrit for public review since it's not bundled or Wikimedia-deployed. This can be done now or closer to the end of our quarter (2025-05-30) when we'll issue the next supplemental security release (T389312).

https://github.com/wikimedia/operations-mediawiki-config/blob/af3cd130d2b848052f93fc106ae4ebe8aa659f20/wmf-config/InitialiseSettings.php#L4097
Quiz is deployed on wikinews, wikiversity, wikibooks and three wikipedias.

sbassett added a project: Security-Team.May 19 2025, 5:07 PM
In T394612#10835925, @SomeRandomDeveloper wrote:

https://github.com/wikimedia/operations-mediawiki-config/blob/af3cd130d2b848052f93fc106ae4ebe8aa659f20/wmf-config/InitialiseSettings.php#L4097
Quiz is deployed on wikinews, wikiversity, wikibooks and three wikipedias.

Interesting. I had no idea that was still configured on any Wikimedia wikis. Many of these message issues have been considered low-risk in the past and have just been pushed through gerrit. See T2212 et al. But we can plan to deploy this as a security patch today if anyone else would like to CR your proposed patch here.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 19 2025, 5:07 PM
sbassett added a comment.EditedJun 2 2025, 9:47 PM

This is getting deployed to 1.45.0-wmf.3 today but here's a proper patch file for deployment and the security release:

01-T394612.patch2 KBDownload

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 2 2025, 10:14 PM
Mstyles subscribed.
In T394612#10835925, @SomeRandomDeveloper wrote:
In T394612#10835735, @sbassett wrote:
In T394612#10833075, @SomeRandomDeveloper wrote:

Patch:

Quiz.diff1 KBDownload

This looks reasonable to me. This should likely just get pushed through gerrit for public review since it's not bundled or Wikimedia-deployed. This can be done now or closer to the end of our quarter (2025-05-30) when we'll issue the next supplemental security release (T389312).

https://github.com/wikimedia/operations-mediawiki-config/blob/af3cd130d2b848052f93fc106ae4ebe8aa659f20/wmf-config/InitialiseSettings.php#L4097
Quiz is deployed on wikinews, wikiversity, wikibooks and three wikipedias.

Deployed

sbassett changed the task status from Open to In Progress.Jun 10 2025, 7:01 PM
sbassett triaged this task as Low priority.
RhinosF1 mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jul 3 2025, 12:22 PM
gerritbot added a comment.Jul 3 2025, 10:31 PM

Change #1166274 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/Quiz@master] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166274

gerritbot added a project: Patch-For-Review.Jul 3 2025, 10:31 PM

Change #1166275 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/Quiz@REL1_44] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166275

gerritbot added a comment.Jul 3 2025, 10:32 PM

Change #1166276 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/Quiz@REL1_43] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166276

gerritbot added a comment.Jul 3 2025, 10:33 PM

Change #1166277 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/Quiz@REL1_42] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166277

gerritbot added a comment.Jul 3 2025, 10:33 PM

Change #1166278 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/Quiz@REL1_39] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166278

gerritbot added a comment.Jul 7 2025, 2:33 PM

Change #1166274 merged by jenkins-bot:

[mediawiki/extensions/Quiz@master] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166274

gerritbot added a comment.Jul 7 2025, 2:41 PM

Change #1166278 merged by jenkins-bot:

[mediawiki/extensions/Quiz@REL1_39] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166278

gerritbot added a comment.Jul 7 2025, 2:43 PM

Change #1166276 merged by jenkins-bot:

[mediawiki/extensions/Quiz@REL1_43] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166276

gerritbot added a comment.Jul 7 2025, 2:44 PM

Change #1166275 merged by jenkins-bot:

[mediawiki/extensions/Quiz@REL1_44] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166275

gerritbot added a comment.Jul 7 2025, 3:07 PM

Change #1166277 merged by Jly:

[mediawiki/extensions/Quiz@REL1_42] SECURITY: Properly escape the quiz-ignore-coef system message

https://gerrit.wikimedia.org/r/1166277

Jly renamed this task from Stored XSS through a system message in Extension:Quiz to CVE-2025-7057: Stored XSS through a system message in Extension:Quiz.Jul 7 2025, 3:08 PM
Jly closed this task as Resolved.
Jly removed a project: Patch-For-Review.
Jly changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 7 2025, 6:42 PM
Jly changed the edit policy from "Custom Policy" to "All Users".
Jly changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits