Page MenuHomePhabricator
Create Task
Maniphest T402313

CVE-2025-61642: Stored XSS through system messages provided to CodexHtmlForms
Closed, ResolvedPublicSecurity
Actions

Description

System messages set via CodexHtmlForm::setSubmitTextMsg are inserted unescaped into raw HTML by CodexHtmlForm, allowing for stored XSS.

Reproduction steps

  1. Add the following to your LocalSettings.php:
$wgUseCodexSpecialBlock = true;
$wgEnableMultiBlocks = true;
$wgUseXssLanguage = true;
  1. Go to /wiki/Special:Block?uselang=x-xss

image.png (376×563 px, 12 KB)

Cause

SpecialBlock uses HtmlForm::setSubmitTextMsg to set the submit button label to a message:
https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/specials/SpecialBlock.php#L301-L302
HtmlForm::setSubmitTextMsg sets the submit text to the message in the text() output mode without escaping any characters:
https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/htmlform/HTMLForm.php#L1557
CodexHtmlForm retrieves this value and assigns it to $submitButtonLabel:
https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/htmlform/CodexHTMLForm.php#L172
The value is passed to HTMLButtonField::buildCodexComponent:
https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/htmlform/CodexHTMLForm.php#L190-L194
HTMLButtonField inserts the label as raw HTML using Html::rawElement:
https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/htmlform/fields/HTMLButtonField.php#L174-L176

I think this issue should be fixed in HTMLButtonField, as the documentation does not clearly state that the parameter is used as HTML:

* @param string $buttonLabel The button's label attribute.

https://github.com/wikimedia/mediawiki/blob/9f7d6e01394306ac1c32b5602d2e545a7f50b320/includes/htmlform/fields/HTMLButtonField.php#L144-L156

Additional information

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape submit button label for Codex-based HTMLFormsmediawiki/coremaster+3 -4
SECURITY: Escape submit button label for Codex-based HTMLFormsmediawiki/coreREL1_44+3 -4
SECURITY: Escape submit button label for Codex-based HTMLFormsmediawiki/coreREL1_43+3 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

SomeRandomDeveloper created this task.Aug 19 2025, 2:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2025, 2:49 PM
SomeRandomDeveloper added projects: MediaWiki-HTMLForm, Vuln-XSS.Aug 19 2025, 2:50 PM
SomeRandomDeveloper updated the task description. (Show Details)
Daimona subscribed.Aug 19 2025, 6:12 PM

Hmmm I wonder why taint-check didn't catch these, even with --analyze-twice; maybe it's T289314 (happy 4th birthday to that task!).

I think this issue should be fixed in HTMLButtonField, as the documentation does not clearly state that the parameter is used as HTML:

Yeah, I think we should htmlspecialchars $submitButtonLabel. The call in HTMLButtonField#137 does that already for the default, and it otherwise passes $this->buttonLabel which is also already escaped.

Daimona added a comment.Aug 19 2025, 6:23 PM
In T402313#11099743, @Daimona wrote:

Hmmm I wonder why taint-check didn't catch these, even with --analyze-twice; maybe it's T289314 (happy 4th birthday to that task!).

From a quick look, I think it can determine that something unsafe ends up being passed in that rawElement call. However, what I didn't remember well, is that this alone won't emit an issue. rawElement is not annotated with EXEC taint, so we'd only emit an issue when the element is output. For the code in question, HTMLForm::getHTML calls $this->getButtons() which includes the tainted element, but because of T289314, we do not check the subclass implementation of getButtons. If we did that, we might be able to catch these given the addHTML call in displayForm, modulo potentially increasing the analysis max recursion depth, and assuming it isn't also affected by T274780.

sbassett assigned this task to Catrope.Aug 25 2025, 4:32 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Catrope added a comment.Aug 25 2025, 5:01 PM

0001-SECURITY-Escape-submit-button-label-for-Codex-based-.patch1 KBDownload

Mstyles subscribed.Aug 26 2025, 6:04 PM
In T402313#11116029, @Catrope wrote:

0001-SECURITY-Escape-submit-button-label-for-Codex-based-.patch1 KBDownload

+2

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Aug 26 2025, 6:10 PM
Mstyles added a parent task: T397767: Tracking bug for MediaWiki 1.39.14/1.43.4/1.44.1.Aug 28 2025, 9:56 PM
Mstyles added a comment.Aug 28 2025, 10:00 PM
In T402313#11116029, @Catrope wrote:

0001-SECURITY-Escape-submit-button-label-for-Codex-based-.patch1 KBDownload

Deployed

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Aug 28 2025, 10:00 PM
Reedy added a subscriber: gerritbot.Sep 17 2025, 1:36 PM
Reedy renamed this task from Stored XSS through system messages provided to CodexHtmlForms to CVE-2025-61642: Stored XSS through system messages provided to CodexHtmlForms.Sep 29 2025, 1:26 PM
Reedy added projects: MW-1.43-release, MW-1.44-release.Sep 29 2025, 6:56 PM
Reedy closed this task as Resolved.Oct 1 2025, 8:55 PM
gerritbot added a comment.Oct 2 2025, 6:50 PM

Change #1193175 had a related patch set uploaded (by Reedy; author: Catrope):

[mediawiki/core@REL1_43] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193175

gerritbot added a project: Patch-For-Review.Oct 2 2025, 6:50 PM
SomeRandomDeveloper mentioned this in T394396: CVE-2025-61636: Codex Special:Block vulnerable to message key XSS.Oct 2 2025, 7:01 PM
gerritbot added a comment.Oct 2 2025, 8:01 PM

Change #1193200 had a related patch set uploaded (by Reedy; author: Catrope):

[mediawiki/core@REL1_44] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193200

gerritbot added a comment.Oct 2 2025, 8:04 PM

Change #1193175 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193175

gerritbot added a comment.Oct 2 2025, 8:41 PM

Change #1193200 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193200

gerritbot added a comment.Oct 2 2025, 8:51 PM

Change #1193222 had a related patch set uploaded (by Reedy; author: Catrope):

[mediawiki/core@master] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193222

gerritbot added a comment.Oct 2 2025, 9:56 PM

Change #1193222 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Escape submit button label for Codex-based HTMLForms

https://gerrit.wikimedia.org/r/1193222

sbassett triaged this task as Medium priority.Mon, Apr 6, 9:08 PM
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits