Page MenuHomePhabricator
Create Task
Maniphest T406322

CVE-2025-11261: Stored i18n XSS exposed by security patch for T402077
Closed, ResolvedPublicSecurity
Actions

Description

While fixing the tests for https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1193254, which is the patch for T402077, I noticed that there is another i18n XSS vulnerability caused by passing a list of HTML strings to mw.language.listToText and using the result as raw HTML.
mw.language.listToText is supposed to be used for text and not HTML, as the return value contains the unsanitized system messages and, word-separator and comma-separator:
https://gerrit.wikimedia.org/g/mediawiki/core/+/ffd25a424f9fc8cbb32a403969e473da85c4389f/resources/src/mediawiki.language/mediawiki.language.js#147

The reproduction steps should be the same as described in T402077, but instead of using uselang=x-xss or editing MediaWiki:checkuser-tempaccount-specialblock-ips, the messages and, word-separator or comma-separator have to be edited to <img src="" onerror="alert(1)">, which should cause an alert.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape system messages in mw.language.listToTextmediawiki/coreREL1_44+2 -2
SECURITY: Escape system messages in mw.language.listToTextmediawiki/coreREL1_43+2 -2
SECURITY: Escape system messages in mw.language.listToTextmediawiki/coreREL1_39+2 -2
SECURITY: Escape system messages in mw.language.listToTextmediawiki/coremaster+2 -2
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedSecuritySomeRandomDeveloperT406322 CVE-2025-11261: Stored i18n XSS exposed by security patch for T402077
Restricted Task

Event Timeline

SomeRandomDeveloper created this task.Oct 3 2025, 11:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 3 2025, 11:50 AM
SomeRandomDeveloper added projects: CheckUser, Vuln-XSS.Oct 3 2025, 11:52 AM

This affects master and REL1_44.

I'm not sure what would be the best way to fix this, apart from copying mw.language.listToText into a new method in CheckUser and then escaping the messages so it can be used to produce HTML.

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptOct 3 2025, 11:52 AM
Dreamy_Jazz subscribed.EditedOct 3 2025, 12:05 PM
In T406322#11240715, @SomeRandomDeveloper wrote:

I'm not sure what would be the best way to fix this, apart from copying mw.language.listToText into a new method in CheckUser and then escaping the messages so it can be used to produce HTML.

That seems hacky and would likely cause tech debt if the MediaWiki core version of mw.language.listToText is updated.

Could we not consider adding a XSS safe mw.language.listToText or fixing the issue in that method? AFAICS we would want to use it elsewhere that this issue might occur

While I may have missed something, it seems that there is no need for the listToText messages to use any HTML and so AFAICS we should be able to make them use mw.message( '...' ).escaped() in the current version?

SomeRandomDeveloper added a comment.Oct 3 2025, 12:06 PM
In T406322#11240755, @Dreamy_Jazz wrote:
In T406322#11240715, @SomeRandomDeveloper wrote:

I'm not sure what would be the best way to fix this, apart from copying mw.language.listToText into a new method in CheckUser and then escaping the messages so it can be used to produce HTML.

That seems hacky and would likely cause tech debt if the MediaWiki core version of mw.language.listToText is updated.

Could we not consider adding a XSS safe mw.language.listToText? AFAICS we would want to use it elsewhere that this issue might occur

That's a better solution, I can create a patch for this

Dreamy_Jazz added a comment.Oct 3 2025, 12:08 PM
In T406322#11240760, @SomeRandomDeveloper wrote:
In T406322#11240755, @Dreamy_Jazz wrote:
In T406322#11240715, @SomeRandomDeveloper wrote:

I'm not sure what would be the best way to fix this, apart from copying mw.language.listToText into a new method in CheckUser and then escaping the messages so it can be used to produce HTML.

That seems hacky and would likely cause tech debt if the MediaWiki core version of mw.language.listToText is updated.

Could we not consider adding a XSS safe mw.language.listToText? AFAICS we would want to use it elsewhere that this issue might occur

That's a better solution, I can create a patch for this

Thanks for working on this issue

SomeRandomDeveloper added a comment.Oct 3 2025, 12:10 PM

@Dreamy_Jazz actually couldn't we just escape the messages in the existing listToText method instead? The PHP version does the same: https://gerrit.wikimedia.org/g/mediawiki/core/+/ffd25a424f9fc8cbb32a403969e473da85c4389f/includes/language/Language.php#3665
And I don't think and, word-separator or comma-separator should contain any characters that would be double escaped

SomeRandomDeveloper added a project: MediaWiki-Internationalization.Oct 3 2025, 12:11 PM
Dreamy_Jazz added a comment.EditedOct 3 2025, 12:15 PM
In T406322#11240763, @SomeRandomDeveloper wrote:

@Dreamy_Jazz actually couldn't we just escape the messages in the existing listToText method instead? The PHP version does the same: https://gerrit.wikimedia.org/g/mediawiki/core/+/ffd25a424f9fc8cbb32a403969e473da85c4389f/includes/language/Language.php#3665
And I don't think and, word-separator or comma-separator should contain any characters that would be double escaped

Yeah, I edited my comment above to say that AFAICS it should be possible to do that just after you posted your reply

I'd support an approach that just fixes mw.language.listToText. It doesn't seem intentional that they are not escaped. Additionally, I'd expect any callers to escape the items in the list before passing it to this method (so any double escaping issues caused by such a change would be easily fixed)

Reedy added a project: MW-1.44-release.Oct 3 2025, 12:19 PM
SomeRandomDeveloper added a project: Patch-For-Review.Oct 3 2025, 12:24 PM

T406322.patch1 KBDownload

OKryva-WMF moved this task from Inbox to Later sprints on the Product Safety and Integrity board.Oct 3 2025, 12:29 PM
Reedy triaged this task as High priority.Oct 3 2025, 12:35 PM
Dreamy_Jazz added a comment.Oct 3 2025, 12:39 PM
In T406322#11240814, @SomeRandomDeveloper wrote:

T406322.patch1 KBDownload

This LGTM, +2

Dreamy_Jazz removed a project: Patch-For-Review.Oct 3 2025, 12:40 PM
Dreamy_Jazz moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
Dreamy_Jazz edited projects, added Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)); removed Product Safety and Integrity.
Dreamy_Jazz moved this task from Priority backlog to Done on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 3 2025, 12:43 PM

Moving to 'Done' on our board, as I've given the patch a review. Can leave the rest to the Security-Team.

Reedy subscribed.Oct 3 2025, 1:03 PM

Deployed!

Reedy added a subtask: Restricted Task.Oct 3 2025, 1:05 PM
Reedy added a subscriber: gerritbot.
Reedy renamed this task from Stored i18n XSS caused by security patch for T402077 to CVE-2025-11261: Stored i18n XSS caused by security patch for T402077.Oct 3 2025, 1:08 PM
gerritbot added a comment.Oct 3 2025, 1:09 PM

Change #1193414 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@master] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193414

gerritbot added a project: Patch-For-Review.Oct 3 2025, 1:09 PM
Reedy added projects: MW-1.43-release, MW-1.39-release.Oct 3 2025, 1:11 PM
Reedy renamed this task from CVE-2025-11261: Stored i18n XSS caused by security patch for T402077 to CVE-2025-11261: Stored i18n XSS exposed by security patch for T402077.Oct 3 2025, 1:15 PM
SomeRandomDeveloper added a comment.EditedOct 3 2025, 1:20 PM

Stored i18n XSS exposed by security patch for T402077

I keep forgetting that parameters aren't escaped either when using mw.msg... so that vulnerability was actually already present before

SomeRandomDeveloper updated the task description. (Show Details)Oct 3 2025, 1:20 PM
gerritbot added a comment.Oct 3 2025, 2:29 PM

Change #1193414 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193414

gerritbot added a comment.Oct 3 2025, 2:32 PM

Change #1193426 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_44] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193426

gerritbot added a comment.Oct 3 2025, 2:33 PM

Change #1193428 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_43] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193428

gerritbot added a comment.Oct 3 2025, 2:33 PM

Change #1193429 had a related patch set uploaded (by Reedy; author: SomeRandomDeveloper):

[mediawiki/core@REL1_39] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193429

gerritbot added a comment.Oct 3 2025, 3:00 PM

Change #1193429 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193429

gerritbot added a comment.Oct 3 2025, 3:01 PM

Change #1193428 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193428

gerritbot added a comment.Oct 3 2025, 3:06 PM

Change #1193426 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Escape system messages in mw.language.listToText

https://gerrit.wikimedia.org/r/1193426

sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Oct 6 2025, 6:51 PM
SomeRandomDeveloper closed this task as Resolved.Wed, Oct 22, 12:33 PM
SomeRandomDeveloper claimed this task.

I assume this can be closed now since it was part of 1.44.2

SomeRandomDeveloper mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Wed, Oct 22, 12:35 PM
sbassett removed a project: Patch-For-Review.Wed, Oct 22, 2:18 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits