Page MenuHomePhabricator
Create Task
Maniphest T394869

CVE-2025-7056: Stored XSS through a system message in UrlShortener
Closed, ResolvedPublicSecurity
Actions

Description

In the UrlShortener extension, the urlshortener-failed-try-again system message is inserted as HTML without proper sanitization.

Reproduction Steps

  1. Clone UrlShortener, add it to LocalSettings and run update.php
  2. Go to any article in your wiki
  3. Append the ?uselang=x-xss parameter to the end of the url
  4. Open the "Tools" dropdown and click on the entry containing urlshortener-toolbox

image.png (154×470 px, 7 KB)

(Not sure what I did wrong when setting up the extension but this way I got the error message to show up)

Cause

The unsanitized system message is passed into jQuery's .html() function:

https://github.com/wikimedia/mediawiki-extensions-UrlShortener/blob/8a9f6c9c456a662e77ae3677827e19b3af6c05e0/modules/ext.urlShortener.toolbar.js#L89

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Insert system message as text instead of htmlmediawiki/extensions/UrlShortenerREL1_42+1 -1
SECURITY: Insert system message as text instead of htmlmediawiki/extensions/UrlShortenermaster+1 -1
SECURITY: Insert system message as text instead of htmlmediawiki/extensions/UrlShortenerREL1_43+1 -1
SECURITY: Insert system message as text instead of htmlmediawiki/extensions/UrlShortenerREL1_44+1 -1
SECURITY: Insert system message as text instead of htmlmediawiki/extensions/UrlShortenerREL1_39+178 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityNoneT394869 CVE-2025-7056: Stored XSS through a system message in UrlShortener

Event Timeline

SomeRandomDeveloper created this task.May 20 2025, 11:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2025, 11:34 PM
SomeRandomDeveloper added a comment.May 20 2025, 11:35 PM

Patch:

UrlShortener.diff508 BDownload

SomeRandomDeveloper added a parent task: Restricted Task.May 20 2025, 11:35 PM
SomeRandomDeveloper added a project: affects-Miraheze.
Aklapper added a project: MediaWiki-extensions-UrlShortener.May 21 2025, 6:47 AM
Ladsgroup subscribed.May 21 2025, 12:51 PM

The patch looks good to me. I can try to deploy it a bit later.

sbassett subscribed.May 21 2025, 2:40 PM
In T394869#10842157, @SomeRandomDeveloper wrote:

Patch:

UrlShortener.diff508 BDownload

Per https://www.mediawiki.org/wiki/Developing_security_patches#Initial_steps, can you reformat the above patch and post as a correctly-named .patch file with SECURITY: at the beginning of the subject line? Thanks.

SomeRandomDeveloper added a comment.May 21 2025, 2:48 PM

Updated patch:

T394869.patch1019 BDownload

Is it correctly formatted now?

sbassett added a comment.May 21 2025, 2:56 PM
In T394869#10844606, @SomeRandomDeveloper wrote:

Updated patch:

T394869.patch1019 BDownload

Is it correctly formatted now?

Yep, CR+1, LGTM.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 21 2025, 3:09 PM
sbassett added projects: SecTeam-Processed, Vuln-XSS.
Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 2 2025, 10:14 PM
Mstyles subscribed.
In T394869#10844674, @sbassett wrote:
In T394869#10844606, @SomeRandomDeveloper wrote:

Updated patch:

T394869.patch1019 BDownload

Is it correctly formatted now?

Yep, CR+1, LGTM.

Deployed

sbassett changed the task status from Open to In Progress.Jun 10 2025, 7:00 PM
sbassett triaged this task as Low priority.
RhinosF1 mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jul 3 2025, 12:22 PM
Jly added a subscriber: gerritbot.Jul 3 2025, 10:18 PM
gerritbot added a comment.Jul 3 2025, 10:20 PM

Change #1166269 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/UrlShortener@REL1_44] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166269

gerritbot added a project: Patch-For-Review.Jul 3 2025, 10:20 PM

Change #1166270 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/UrlShortener@REL1_43] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166270

gerritbot added a comment.Jul 3 2025, 10:20 PM

Change #1166271 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/UrlShortener@REL1_42] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166271

gerritbot added a comment.Jul 3 2025, 10:22 PM

Change #1166272 had a related patch set uploaded (by Jly; author: Jly):

[mediawiki/extensions/UrlShortener@REL1_39] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166272

gerritbot added a comment.Jul 3 2025, 10:28 PM

Change #1166268 abandoned by Jly:

[mediawiki/extensions/UrlShortener@master] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166268

gerritbot added a comment.Jul 3 2025, 10:28 PM

Change #1166268 restored by Jly:

[mediawiki/extensions/UrlShortener@master] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166268

gerritbot added a comment.Jul 3 2025, 10:28 PM

Change #1166272 abandoned by Jly:

[mediawiki/extensions/UrlShortener@REL1_39] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166272

gerritbot added a comment.Jul 4 2025, 1:08 AM

Change #1166269 merged by jenkins-bot:

[mediawiki/extensions/UrlShortener@REL1_44] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166269

gerritbot added a comment.Jul 4 2025, 1:08 AM

Change #1166270 merged by jenkins-bot:

[mediawiki/extensions/UrlShortener@REL1_43] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166270

gerritbot added a comment.Jul 4 2025, 1:22 AM

Change #1166268 merged by jenkins-bot:

[mediawiki/extensions/UrlShortener@master] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166268

SomeRandomDeveloper added a subscriber: Jly.Jul 4 2025, 6:51 AM

@Jly @sbassett per my comment in T396524#10972019, please make sure to provide attribution when uploading patches I made. There is a number of security patches currently open on Gerrit that were provided by me in the respective tasks, but the author field is set to @Jly and no form of attribution is provided in any way. The ones for this task are already merged without any attribution provided either.

gerritbot added a comment.Jul 4 2025, 10:19 AM

Change #1166271 merged by Jly:

[mediawiki/extensions/UrlShortener@REL1_42] SECURITY: Insert system message as text instead of html

https://gerrit.wikimedia.org/r/1166271

Jly added a comment.EditedJul 7 2025, 1:51 PM

@SomeRandomDeveloper Apologies, this was a mistake and has been corrected on all the uploaded patches where possible. I have some error permission with the Quiz extension and have asked a team member to correct the author/attribution.

Jly renamed this task from Stored XSS through a system message in UrlShortener to CVE-2025-7056: Stored XSS through a system message in UrlShortener.Jul 7 2025, 1:52 PM
Jly closed this task as Resolved.
Jly removed a project: Patch-For-Review.
SomeRandomDeveloper added a comment.Jul 7 2025, 3:54 PM
In T394869#10979102, @Jly wrote:

@SomeRandomDeveloper Apologies, this was a mistake and has been corrected on all the uploaded patches where possible. I have some error permission with the Quiz extension and have asked a team member to correct the author/attribution.

Thanks!

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Jul 7 2025, 5:24 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jul 7 2025, 5:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits