Page MenuHomePhabricator
Create Task
Maniphest T394693

CVE-2025-53479: Special:CheckUser has i18n XSS vectors
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Description

Summary

The CheckUser extension has Special:CheckUser which is currently vulnerable to i18n XSS (through checking with the x-xss language). These XSS vectors should be fixed.

Background

  • The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
  • The CheckUser extension has Special:CheckUser for checking users to see if they have performed abuse through sockpuppetry
  • When using the x-xss language on Special:CheckUser after submitting the form, there are several popup alerts that indicate the CheckUser is not properly escaping these messages
  • The messages that is vulnerable is rev-deleted-user

Technical notes

To reproduce:

  1. Set $wgUseXssLanguage to be true
  2. Create a user which is then suppressed
  3. Load Special:CheckUser
  4. Modify the HTML of the POST form to include a hidden input field that sets uselang to x-xss in the POST request (e.g. add <input type="hidden" value="x-xss" name="uselang"> somewhere inside the <form> element)
    1. This is needed because we can't add the uselang=x-xss query param to the URL as the checks use POST requests
  5. Submit the form

Screenshots

image.png (152×458 px, 7 KB)

Acceptance criteria

  • The CheckUser Special:CheckUser page is no longer vulnerable to i18n XSS

Details

Risk Rating
Medium
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Fix i18n XSS vector in Special:CheckUsermediawiki/extensions/CheckUsermaster+2 -2
SECURITY: Fix i18n XSS vector in Special:CheckUsermediawiki/extensions/CheckUserREL1_44+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.May 19 2025, 4:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2025, 4:01 PM
Dreamy_Jazz changed Author Affiliation from N/A to WMF Technology.May 19 2025, 4:01 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team.
Dreamy_Jazz set the point value for this task to 1.
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).
Dreamy_Jazz added a project: Vuln-XSS.
Dreamy_Jazz added a comment.May 19 2025, 4:08 PM

Appears to have been caused by a8157231a0d781b5a79884f23d9e302d0a792de5. That means that we will need to only backport it to REL1_44 after fixing on production and master branch.

Dreamy_Jazz renamed this task from Special:CheckUser has i18n XSS vectors to Special:CheckUser has i18n XSS vector.May 19 2025, 4:10 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz renamed this task from Special:CheckUser has i18n XSS vector to Special:CheckUser has i18n XSS vectors.May 19 2025, 4:31 PM

T394693.patch1 KBDownload

Dreamy_Jazz claimed this task.May 19 2025, 4:32 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.
Dreamy_Jazz added a project: Patch-For-Review.
mszabo subscribed.May 19 2025, 4:34 PM

+2

sbassett triaged this task as Medium priority.May 19 2025, 4:35 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett changed Risk Rating from N/A to Medium.
sbassett subscribed.May 19 2025, 9:22 PM

Deployed to Wikimedia production.

sbassett changed the task status from Open to In Progress.May 19 2025, 9:22 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.
sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 19 2025, 9:30 PM
sbassett removed a project: Patch-For-Review.May 19 2025, 9:45 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 21 2025, 12:51 PM
Dreamy_Jazz added a comment.May 21 2025, 1:00 PM

This may be hard to QA on production, so probably best wait until the patches are backported.

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:52 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
Dreamy_Jazz added a subscriber: hector.arroyo.May 28 2025, 4:50 PM
Dreamy_Jazz added a comment.EditedMay 28 2025, 6:03 PM

@sbassett can we make this fix public? CheckUser isn't bundled until the release of 1.44 and T395291: Checkuser: Double quotation marks in user names break the summary table has been filed which would be fixed by this security fix. Plus @hector.arroyo has mentioned that the fix is to properly escape without knowing about this task, so a patch exists which indicates that we were not properly escaping.

sbassett added a comment.May 28 2025, 6:56 PM
In T394693#10865219, @Dreamy_Jazz wrote:

@sbassett can we make this fix public? CheckUser isn't bundled until the release of 1.44 and T395291: Checkuser: Double quotation marks in user names break the summary table has been filed which would be fixed by this security fix. Plus @hector.arroyo has mentioned that the fix is to properly escape without knowing about this task, so a patch exists which indicates that we were not properly escaping.

Yes, that's fine. I'll open it up now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".May 28 2025, 6:56 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett added a subscriber: gerritbot.
gerritbot added a comment.May 28 2025, 6:59 PM

Change #1151777 had a related patch set uploaded (by SBassett; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Fix i18n XSS vector in Special:CheckUser

https://gerrit.wikimedia.org/r/1151777

gerritbot added a project: Patch-For-Review.May 28 2025, 6:59 PM

Change #1151778 had a related patch set uploaded (by SBassett; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_44] SECURITY: Fix i18n XSS vector in Special:CheckUser

https://gerrit.wikimedia.org/r/1151778

gerritbot added a comment.May 28 2025, 7:21 PM

Change #1151778 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_44] SECURITY: Fix i18n XSS vector in Special:CheckUser

https://gerrit.wikimedia.org/r/1151778

gerritbot added a comment.May 28 2025, 7:27 PM

Change #1151777 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Fix i18n XSS vector in Special:CheckUser

https://gerrit.wikimedia.org/r/1151777

sbassett closed this task as Resolved.May 28 2025, 7:29 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett removed a project: Patch-For-Review.
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.4; 2025-06-03).May 28 2025, 8:00 PM
Izno merged a task: T395291: Checkuser: Double quotation marks in user names break the summary table.May 28 2025, 9:46 PM
Izno subscribed.
Dreamy_Jazz mentioned this in T395291: Checkuser: Double quotation marks in user names break the summary table.May 28 2025, 9:51 PM
Stashbot added a comment.May 28 2025, 11:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-05-28T23:10:10Z] <logmsgbot> dreamyjazz Deployed security patch for T394693

Stashbot added a comment.May 28 2025, 11:22 PM

Mentioned in SAL (#wikimedia-operations) [2025-05-28T23:22:22Z] <logmsgbot> dreamyjazz Deployed security patch for T394693

Dreamy_Jazz added a comment.May 28 2025, 11:24 PM

The patch wasn't deployed to the active wiki versions. I've fixed this.

Dreamy_Jazz added a comment.May 28 2025, 11:31 PM

It seems that the deploy_security.py script failed to add the patch to the relevant patches folder. I've manually fixed that.

Dreamy_Jazz merged a task: T395291: Checkuser: Double quotation marks in user names break the summary table.May 28 2025, 11:53 PM
Dreamy_Jazz moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.May 29 2025, 11:37 AM
mmartorana renamed this task from Special:CheckUser has i18n XSS vectors to CVE-2025-53479: Special:CheckUser has i18n XSS vectors.Jul 8 2025, 5:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits