Page MenuHomePhabricator
Create Task
Maniphest T394864

CVE-2025-7362: Stored XSS through a system message in MsUpload
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
May 20 2025, 11:06 PM
Tags
Referenced Files
F60574655: image.png
May 26 2025, 1:40 PM
F60325816: MsUpload.diff
May 20 2025, 11:09 PM
F60325802: MsUploadReprodMethod2.png
May 20 2025, 11:06 PM
F60325800: MsUploadReprodMethod1.png
May 20 2025, 11:06 PM
Subscribers
Aklapper
gerritbot
Samwilson
sbassett
SomeRandomDeveloper
Sophivorus

Description

In the MsUpload extension, the msu-continue system message is inserted HTML without proper sanitization.

Reproduction Steps

  1. Make sure the WikiEditor and MsUpload extensions are enabled

Either:

  1. Go to any page and edit it.
  2. Make sure $wgUseXssLanguage is enabled the uselang=x-xss parameter is appended to the end of the URL, e.g. w/index.php?title=Test23523195&action=edit&uselang=x-xss
  3. Drag a file into the "Drop files here" section (called msu-dropzone when using x-xss) that has the same name as a file that is already uploaded onto the wiki

MsUploadReprodMethod1.png (171×437 px, 10 KB)

Or:

  1. Edit MediaWiki:Msu-continue to <script>alert("XSS!")</script>
  2. Edit any article
  3. Drag a file into the "Drop files here" section that has the same name as a file that is already uploaded onto the wiki

MsUploadReprodMethod2.png (193×458 px, 7 KB)

Cause

https://github.com/wikimedia/mediawiki-extensions-MsUpload/blob/53c02fd8cd1f54c94ba2043a91705f3ad5c898ca/resources/MsUpload.js#L184
The msu-continue message is retrieved without sanitization using the text output mode (the shorthand mw.msg() is used here) and provided to the .append() function of jQuery, which appends it to the element as raw HTML.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Sanitize message before appendingmediawiki/extensions/MsUploadREL1_42+2 -2
Sanitize message before appendingmediawiki/extensions/MsUploadREL1_39+2 -2
Sanitize message before appendingmediawiki/extensions/MsUploadREL1_43+9 -11
Sanitize message before appendingmediawiki/extensions/MsUploadREL1_44+9 -11
Sanitize message before appendingmediawiki/extensions/MsUploadmaster+9 -11
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecuritySomeRandomDeveloperT394864 CVE-2025-7362: Stored XSS through a system message in MsUpload

Event Timeline

SomeRandomDeveloper created this task.May 20 2025, 11:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2025, 11:06 PM
SomeRandomDeveloper added a project: affects-Miraheze.May 20 2025, 11:09 PM
SomeRandomDeveloper added a subscriber: Sophivorus.

Patch:

MsUpload.diff495 BDownload

This might cause merge conflicts on <REL1_43 since the file was reformatted in ed003b9.

SomeRandomDeveloper added a parent task: Restricted Task.May 20 2025, 11:11 PM
Aklapper added a project: MediaWiki-extensions-MsUpload.May 21 2025, 6:41 AM
Sophivorus added a comment.May 21 2025, 1:38 PM

Not sure how to proceed with these kind of security fixes. Should I adapt and apply that diff to all the branches and merge them directly via "git push" rather than "git review"?

SomeRandomDeveloper added a comment.EditedMay 21 2025, 1:58 PM
In T394864#10844241, @Sophivorus wrote:

Not sure how to proceed with these kind of security fixes. Should I adapt and apply that diff to all the branches and merge them directly via "git push" rather than "git review"?

I don't think that's possible; since this isn't deployed on WMF, you can upload the patch to gerrit normally, merge it as soon as the tests have ran and then backport the changeset to the other branches. I'll contact someone from Miraheze then who can update the extension. Also note my prior comment about possible merge conflicts on other branches.

SomeRandomDeveloper added a subscriber: gerritbot.May 21 2025, 1:59 PM
sbassett subscribed.May 21 2025, 2:13 PM
In T394864#10844298, @SomeRandomDeveloper wrote:
In T394864#10844241, @Sophivorus wrote:

Not sure how to proceed with these kind of security fixes. Should I adapt and apply that diff to all the branches and merge them directly via "git push" rather than "git review"?

I don't think that's possible; since this isn't deployed on WMF, you can upload the patch to gerrit normally, merge it as soon as the tests have ran and then backport the changeset to the other branches. I'll contact someone from Miraheze then who can update the extension. Also note my prior comment about possible merge conflicts on other branches.

That's right. If it's for non-Wikimedia-deployed, non-bundled extensions or skins, these can just be pushed through gerrit, and they'll eventually make it into the next supplemental security release (currently T389312). Especially for generally low-risk issues like message XSSes.

sbassett added a project: Vuln-XSS.May 21 2025, 3:10 PM
gerritbot added a comment.May 26 2025, 1:06 PM

Change #1150676 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/MsUpload@master] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150676

gerritbot added a project: Patch-For-Review.May 26 2025, 1:06 PM
Sophivorus added a comment.May 26 2025, 1:36 PM

Hi! Well, I sent the diff for review but now Jenkins is complaining about not finding #wpTextbox1 or something. I tried to fix it but failed. I would appreciate any help or guidance on this annoyance. If not, I'll remove Jenkins vote and merge anyway. Cheers!

Samwilson subscribed.May 26 2025, 1:40 PM

Looks like it's failing to load the edit form at all: https://integration.wikimedia.org/ci/job/quibble-vendor-mysql-php81-selenium/2546/artifact/log/User-temporary-user-should-not-see-signup-form-fields-relevant-to-named-users-failed-2025-05-26T13-30-01-361Z.png

image.png (883×1 px, 215 KB)

Does it work locally for you on the current master of MW core?

gerritbot added a comment.May 26 2025, 3:06 PM

Change #1150676 merged by jenkins-bot:

[mediawiki/extensions/MsUpload@master] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150676

Sophivorus added a comment.EditedMay 26 2025, 3:07 PM

Thanks, that was it. I was testing in REL1_43.

Next I'll backport the fix to 1.44, 1.43, 1.42 and 1.39 (the versions available for download at MsUpload's extension distributor)

gerritbot added a comment.May 26 2025, 5:10 PM

Change #1150733 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/MsUpload@REL1_44] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150733

gerritbot added a comment.May 26 2025, 5:14 PM

Change #1150734 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/MsUpload@REL1_43] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150734

gerritbot added a comment.May 26 2025, 5:16 PM

Change #1150733 merged by jenkins-bot:

[mediawiki/extensions/MsUpload@REL1_44] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150733

gerritbot added a comment.May 26 2025, 5:18 PM

Change #1150734 merged by jenkins-bot:

[mediawiki/extensions/MsUpload@REL1_43] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150734

gerritbot added a comment.May 26 2025, 5:32 PM

Change #1150735 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/MsUpload@REL1_42] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150735

gerritbot added a comment.May 26 2025, 5:34 PM

Change #1150736 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/MsUpload@REL1_39] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150736

gerritbot added a comment.May 26 2025, 5:36 PM

Change #1150736 merged by jenkins-bot:

[mediawiki/extensions/MsUpload@REL1_39] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150736

gerritbot added a comment.May 26 2025, 5:36 PM

Change #1150735 merged by jenkins-bot:

[mediawiki/extensions/MsUpload@REL1_42] Sanitize message before appending

https://gerrit.wikimedia.org/r/1150735

Sophivorus added a comment.May 26 2025, 5:38 PM

All done. If someone wants to review this, we can close it. Cheers!

sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 27 2025, 3:05 PM
In T394864#10857461, @Sophivorus wrote:

All done. If someone wants to review this, we can close it. Cheers!

Thanks. The Security-Team will open up this bug during our clinic today. And this issue will be re-announced with the next supplemental security release, due out later in June 2025.

sbassett changed the task status from Open to In Progress.May 27 2025, 3:56 PM
sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Incoming to Watching on the Security-Team board.
SomeRandomDeveloper closed this task as Resolved.Jul 7 2025, 9:04 PM
SomeRandomDeveloper claimed this task.

Closing as this was fixed a while ago and is no longer reproducible.

mmartorana renamed this task from Stored XSS through a system message in MsUpload to CVE-2025-7362: Stored XSS through a system message in MsUpload.Jul 8 2025, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits