Page MenuHomePhabricator
Create Task
Maniphest T404392

Arbitrary HTML injection through error display on Wikifunctions
Closed, ResolvedPublicSecurity
Actions

Assigned To
Jdforrester-WMF
Authored By
Dv103
Sep 11 2025, 8:19 PM
Tags
Referenced Files
Restricted File
Sep 12 2025, 12:27 PM
F66017610: T404392-4.patch
Sep 12 2025, 12:24 PM
F66017248: Screenshot from 2025-09-12 12-52-47.png
Sep 12 2025, 11:38 AM
F66017249: Screenshot from 2025-09-12 13-05-24.png
Sep 12 2025, 11:38 AM
F66017250: Screenshot from 2025-09-12 12-52-41.png
Sep 12 2025, 11:38 AM
F66017217: T404392-3.patch
Sep 12 2025, 11:38 AM
F66016956: image.png
Sep 12 2025, 9:37 AM
F66015278: Screenshot 2025-09-11 at 19.22.03.png
Sep 11 2025, 11:29 PM
View All 11 Files
Subscribers
Aklapper
akosiaris
Catrope
cmassaro
DMartin-WMF
DSantamaria
DSmit-WMF
View All 14 Subscribers

Description

  • Go to Z28154
  • Insert whatever value in the first function input parameter (for example "Z7"
  • In the second input parameter (labeled as "parameters") insert one element: <button onmouseover="window.location='//www.example.com'">
  • Execute the function
  • Click on "Details": the HTML code is injected directly in the error details window; the button is present, and the JS code associated with it can be executed by hovering the mouse over it.

This is important because it is very easy (no special user right required) to create a permanent testcase that injects HTML code every time someone tries to see the details.

Details

Risk Rating
Medium
Author Affiliation
Other (Please specify in description)
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Do not let error type labels or arguments return HTML eithermediawiki/extensions/WikiLambdawmf/1.45.0-wmf.18+13 -10
SECURITY: Do not let getErrorMessages() etc. return HTML ever, at least for nowmediawiki/extensions/WikiLambdawmf/1.45.0-wmf.18+90 -23
SECURITY: Do not let error type labels or arguments return HTML eithermediawiki/extensions/WikiLambdamaster+13 -10
SECURITY: Do not let getErrorMessages() etc. return HTML ever, at least for nowmediawiki/extensions/WikiLambdamaster+90 -23
Customize query in gerrit

Related Objects

Event Timeline

Dv103 created this task.Sep 11 2025, 8:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2025, 8:19 PM
Dv103 added projects: WikiLambda Front-end, WikiLambda.Sep 11 2025, 8:20 PM
sbassett added subscribers: Jdforrester-WMF, cmassaro, gengh.Sep 11 2025, 8:23 PM
Jdforrester-WMF triaged this task as High priority.Sep 11 2025, 8:27 PM
Jdforrester-WMF added projects: Essential-Work, Abstract Wikipedia team (26Q1 (Jul–Sep)).
Jdforrester-WMF added a subscriber: DSmit-WMF.

Thanks for the report; good find.

sbassett changed the task status from Open to In Progress.Sep 11 2025, 8:30 PM
sbassett raised the priority of this task from High to Unbreak Now!.
sbassett added a project: Vuln-XSS.
sbassett subscribed.

Confirmed the exploit works. Setting UBN since this is an XSS that could theoretically be executed cross-project.

Jdforrester-WMF added a subscriber: DMartin-WMF.Sep 11 2025, 8:58 PM
Jdforrester-WMF added a comment.Sep 11 2025, 9:05 PM

Quick patch; think this gets all of it:

T404392.patch7 KBDownload

This will break the usability testing, but oh well.

Jdforrester-WMF added a subscriber: DSantamaria.Sep 11 2025, 9:07 PM
sbassett added a comment.Sep 11 2025, 9:22 PM
In T404392#11174463, @Jdforrester-WMF wrote:

Quick patch; think this gets all of it:

T404392.patch7 KBDownload

This will break the usability testing, but oh well.

CR+2, most of this make sense to me: mustache/vue-style escapes around the getErrorMessage( error ) calls and then a i18n parse call.

Jdforrester-WMF moved this task from Incoming to In Engineering on the Abstract Wikipedia team (26Q1 (Jul–Sep)) board.Sep 11 2025, 9:29 PM
Jdforrester-WMF added a comment.Sep 11 2025, 10:01 PM

This fixed the bits I noticed with malicious error labels, but not the reported issue with malicious error arguments; I've now got an improved version:

T404392-1.patch10 KBDownload

Jdforrester-WMF added a comment.Sep 11 2025, 11:29 PM

OK, third time's the charm:

T404392-2.patch15 KBDownload

Screenshot 2025-09-11 at 19.22.03.png (2×2 px, 766 KB)

We'll have to consider in the morning if there are other abuse routes I've missed, and how we can fix the system to provide the functionality wanted without this issue, but for tonight I think we're done.

sbassett assigned this task to Jdforrester-WMF.Sep 12 2025, 12:05 AM
sbassett lowered the priority of this task from Unbreak Now! to High.
sbassett awarded a token.
sbassett added a comment.Sep 12 2025, 12:07 AM
In T404392#11174736, @Jdforrester-WMF wrote:

OK, third time's the charm:

T404392-2.patch15 KBDownload

Thanks! I can confirm that the example payload within the task description can no longer be reproduced in production. Let's plan to follow up tomorrow.

Catrope subscribed.Sep 12 2025, 12:12 AM

@Jdforrester-WMF After this patch lands publicly in Gerrit, please consider replacing the <!-- eslint-disable vue/no-v-html --> comments that it does leave in / add in to use eslint-disable-next-line instead. Otherwise you could still be missing uses of v-html that occur anywhere in the same file below the first one.

akosiaris subscribed.Sep 12 2025, 4:22 AM
Lucas_Werkmeister_WMDE subscribed.Sep 12 2025, 9:37 AM

For the record, @Dv103 has also disclosed some details about this task publicly (before it was even fixed – timestamps are in UTC+2):

image.png (304×488 px, 39 KB)

Given that, and the fact that there are probably very few other (non-dev) WikiLambda installs around, it’s probably best to publish the task+fix relatively soon? (I.e. without waiting for the next full security release, at least IMHO.)

gengh added a comment.Sep 12 2025, 11:38 AM

Fixed another related error argument label vulnerability on top of James' latest version. I've checked injection on error string arguments, but also error labels and error argument labels. This should do it:

T404392-3.patch17 KBDownload

Screenshot from 2025-09-12 12-52-41.png (466×543 px, 56 KB)

Screenshot from 2025-09-12 13-05-24.png (519×735 px, 29 KB)

Screenshot from 2025-09-12 12-52-47.png (478×721 px, 27 KB)

Jdforrester-WMF added a comment.Sep 12 2025, 12:15 PM
In T404392#11174833, @Catrope wrote:

@Jdforrester-WMF After this patch lands publicly in Gerrit, please consider replacing the <!-- eslint-disable vue/no-v-html --> comments that it does leave in / add in to use eslint-disable-next-line instead. Otherwise you could still be missing uses of v-html that occur anywhere in the same file below the first one.

Yeah, the multi-line Vue code breaks eslint-disable-next-line directives; will add the re-enables in.

Jdforrester-WMF added a comment.Sep 12 2025, 12:17 PM
In T404392#11175495, @Lucas_Werkmeister_WMDE wrote:

For the record, @Dv103 has also disclosed some details about this task publicly (before it was even fixed – timestamps are in UTC+2):

image.png (304×488 px, 39 KB)

Eurgh, thanks for flagging. @Dv103, please don't discuss private tasks publicly.

Given that, and the fact that there are probably very few other (non-dev) WikiLambda installs around, it’s probably best to publish the task+fix relatively soon? (I.e. without waiting for the next full security release, at least IMHO.)

Yes, that's the plan.

Jdforrester-WMF added a comment.EditedSep 12 2025, 12:24 PM
In T404392#11175744, @gengh wrote:

Fixed another related error argument label vulnerability on top of James' latest version. I've checked injection on error string arguments, but also error labels and error argument labels. This should do it:

T404392-3.patch17 KBDownload

Thanks! Very slight tweak to add the eslint-disable fixes Roan suggested, and split into a second git commit on top of the deployed one, for easier management.

{F66017626}

Will deploy now.

Jdforrester-WMF added a comment.Sep 12 2025, 12:48 PM

OK, I believe we're now good to push the patches to gerrit and land into master. @sbassett, can you confirm that's OK?

sbassett mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Sep 12 2025, 4:28 PM
sbassett added a comment.Sep 12 2025, 4:33 PM
In T404392#11175953, @Jdforrester-WMF wrote:

OK, I believe we're now good to push the patches to gerrit and land into master. @sbassett, can you confirm that's OK?

LGTM, thanks! I've verified the patches appear correct on deployment:

$ ls /srv/patches/1.45.0-wmf.18/extensions/WikiLambda/
01-T404392.patch  02-T404392.patch
...
$ pwd
/srv/mediawiki-staging/php-1.45.0-wmf.18/extensions/WikiLambda
...
$  git log --graph --decorate --oneline -n2
* 7753571d (HEAD) SECURITY: Do not let error type labels or arguments return HTML either
* 6b5ca6bc SECURITY: Do not let getErrorMessages() etc. return HTML ever, at least for now

And we're also now tracking the patches under T276237 and T397776.

SecurityPatchBot changed the task status from In Progress to Open.Sep 12 2025, 11:54 PM
SecurityPatchBot raised the priority of this task from High to Unbreak Now!.
SecurityPatchBot added a parent task: T396380: 1.45.0-wmf.19 deployment blockers.
Patch is blocking upcoming release

Patch 01-T404392.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikiLambda. This is blocking MediaWiki release 1.45.0-wmf.19(T396380)

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/next/extensions/WikiLambda/01-T404392.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/next/extensions/WikiLambda/01-T404392.patch
sbassett changed the task status from Open to In Progress.Sep 13 2025, 1:08 AM
sbassett lowered the priority of this task from Unbreak Now! to High.

We'll want to fix any merge conflicts for 01-T404392.patch prior to 1.45.0-wmf.19 rollout next week.

SecurityPatchBot changed the task status from In Progress to Open.Sep 13 2025, 11:53 PM
SecurityPatchBot raised the priority of this task from High to Unbreak Now!.
Patch is blocking upcoming release

Patch 01-T404392.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikiLambda. This is blocking MediaWiki release 1.45.0-wmf.19(T396380)

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/next/extensions/WikiLambda/01-T404392.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/next/extensions/WikiLambda/01-T404392.patch
sbassett lowered the priority of this task from Unbreak Now! to High.Sep 14 2025, 11:51 PM
SecurityPatchBot raised the priority of this task from High to Unbreak Now!.Sep 14 2025, 11:54 PM
Patch is blocking upcoming release

Patch 01-T404392.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikiLambda. This is blocking MediaWiki release 1.45.0-wmf.19(T396380)

If the patch needs to be rebased

A new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts' /srv/patches/next/extensions/WikiLambda/01-T404392.patch "$REVISED_PATCH"

If the patch has been made public

The patch can be dropped in the deployment server with the following Scap command:

scap remove-patch --message-body 'Dropping patch already made public' /srv/patches/next/extensions/WikiLambda/01-T404392.patch
sbassett lowered the priority of this task from Unbreak Now! to High.Sep 15 2025, 12:00 AM
jnuche raised the priority of this task from High to Unbreak Now!.EditedSep 15 2025, 8:27 AM
jnuche subscribed.

Noting here the 02-T404392 patch for 1.45.0-wmf.18 is unfortunately also failing.

This is blocking backport deployments at the moment: https://spiderpig.wikimedia.org/jobs/549

[FAILED] /srv/patches/1.45.0-wmf.18/extensions/WikiLambda/02-T404392.patch
Lucas_Werkmeister_WMDE mentioned this in T404593: scap remove-patch: support removing multiple patches.Sep 15 2025, 1:40 PM
Jdforrester-WMF lowered the priority of this task from Unbreak Now! to High.Sep 15 2025, 1:51 PM
Jdforrester-WMF removed a parent task: T396380: 1.45.0-wmf.19 deployment blockers.
Jdforrester-WMF moved this task from In Engineering to Needs Sign-off on the Abstract Wikipedia team (26Q1 (Jul–Sep)) board.
Jdforrester-WMF added a project: MW-1.45-notes (1.45.0-wmf.18; 2025-09-09).Sep 15 2025, 2:03 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Sep 15 2025, 4:24 PM
sbassett added a project: SecTeam-Processed.
sbassett added a subscriber: gerritbot.Sep 15 2025, 4:57 PM

Update - thanks, @Jdforrester-WMF et al for getting these patches backported in gerrit and dropped from deployment!

  1. https://gerrit.wikimedia.org/r/q/I76ba6168e9723230f95f5a2785df90f9327a0148
  2. https://gerrit.wikimedia.org/r/q/I996fa2f9ec5112978296ad8f357176123f8f692b
sbassett lowered the priority of this task from High to Low.Sep 15 2025, 5:01 PM
Reedy closed this task as Resolved.Sep 17 2025, 1:54 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 21 2025, 5:28 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits