The Cargo extension is vulnerable to stored XSS through wikitext by inserting malicious HTML into table fields, which are printed out without proper sanitization.
Reproduction steps
- Create Template:CargoXSSTemplate with the following contents:
<noinclude>
{{#cargo_declare:_table=TestTable
|Payload=String}}
</noinclude>
<includeonly>
{{#cargo_store:_table=TestTable}}
{|
! XSS Payload
| {{{Payload|}}}
|}
</includeonly>- Go to /w/index.php?title=Template:CargoXSSTemplate&action=recreatedata and click "OK"
- Create CargoXSS with the following contents:
{{CargoXSSTemplate|Payload=<script>alert('xss :D')</script>}}- Go to /wiki/Special:Drilldown/TestTable
Cause
The filter value is not escaped here:
https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/601e7f91939e62985ad649df8edb255d34052478/drilldown/CargoDrilldownPage.php#L350
This string gets passed through a few functions and is then added as HTML:
https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/601e7f91939e62985ad649df8edb255d34052478/drilldown/CargoDrilldownPage.php#L649
https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/601e7f91939e62985ad649df8edb255d34052478/drilldown/CargoDrilldownPage.php#L552
https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/601e7f91939e62985ad649df8edb255d34052478/drilldown/CargoDrilldownPage.php#L1096
https://github.com/wikimedia/mediawiki-extensions-Cargo/blob/601e7f91939e62985ad649df8edb255d34052478/drilldown/CargoDrilldownPage.php#L1342
Callstack:
CargoDrilldownPage.php:350, CargoDrilldownPage->printFilterValue()
CargoDrilldownPage.php:649, CargoDrilldownPage->printFilterValueLink()
CargoDrilldownPage.php:552, CargoDrilldownPage->printUnappliedFilterValues()
CargoDrilldownPage.php:1096, CargoDrilldownPage->printUnappliedFilterLine()
CargoDrilldownPage.php:1342, CargoDrilldownPage->getPageHeader()
QueryPage.php:786, MediaWiki\SpecialPage\QueryPage->execute()
CargoSpecialDrilldown.php:276, CargoSpecialDrilldown->execute()
SpecialPage.php:725, MediaWiki\SpecialPage\SpecialPage->run()
SpecialPageFactory.php:1732, MediaWiki\SpecialPage\SpecialPageFactory->executePath()
ActionEntryPoint.php:499, MediaWiki\Actions\ActionEntryPoint->performRequest()
ActionEntryPoint.php:143, MediaWiki\Actions\ActionEntryPoint->execute()
MediaWikiEntryPoint.php:198, MediaWiki\MediaWikiEntryPoint->run()
index.php:58, {main}()