Summary
The UploadWizard extension is vulnerable to i18n/system-message stored XSS attacks via at least the following system messages (and, from looking at the code, probably more):
- mwe-upwiz-blacklisted-details-titleblacklist-custom-filename-text
- mwe-upwiz-too-many-files-text
- mwe-upwiz-file-too-large-text
- mwe-upwiz-license-external-invalid
- mwe-upwiz-other-v2
- mwe-upwiz-submitting-details
- mwe-upwiz-published
Prerequisites to reproduce
- Have a demo wiki with ext:UploadWizard (and, to reproduce vuln [1], ext:TitleBlacklist) loaded.
- In your demo wiki's LocalSettings.php, ensure $wgEnableUploads is set to true.
- As an admin (i.e., a user with the editinterface rights, but not the editsitejs right):
- For each of the message keys above, create the page MediaWiki:<message-key> with the content <script>alert("XSS: <message-key>");</script>.
(Alternatively, add $wgUseXssLanguage = true; to your demo wiki's LocalSettings.php, & access pages using ?uselang=x-xss.)
- For each of the message keys above, create the page MediaWiki:<message-key> with the content <script>alert("XSS: <message-key>");</script>.
Stored system-message XSS via...
[1] ...the popup that appears after clicking the 'view examples' link in a title-blacklist error message
- As an admin:
- Add the following rule at MediaWiki:Titleblacklist (the important part for these reproduction steps is the errmsg being titleblacklist-custom-filename):
- .*generic-filename.* <errmsg=titleblacklist-custom-filename>
- Add the following rule at MediaWiki:Titleblacklist (the important part for these reproduction steps is the errmsg being titleblacklist-custom-filename):
- As an unprivileged/regular user (i.e., someone without the tboverride right):
- Navigate to Special:UploadWizard.
- Select a file to upload.
- On the 'Release rights' step, select any values that allow you to get to the next stage.
- Under 'Title', enter "generic-filename".
- Click on the "view examples" link in the error message that appears:
Note: The possibility of an XSS vulnerability here jumped out to me when I was looking at UploadWizard's en.json & noticed that the default 'mwe-upwiz-blacklisted-details-titleblacklist-custom-filename-text' message contained an <a> tag, given that - to my knowledge - HTML anchor tags don't work in regular wikitext.
[2] ...the popup that appears when attempting to upload too many files at once
- For ease of reproducibility (ie., to avoid having to upload 50 items at once in order to reproduce this vuln), add the following line to your demo wiki's LocalSettings.php:
- $wgUploadWizardConfig['maxUploads'] = 2;
- Navigate to Special:UploadWizard.
- Either:
- Click on "Select media files to share", & select more than two images; or
- Drag-and-drop more than two image files onto the part of the page labelled "Drop files here".
[3] ...the popup that appears when attempting to upload a file that's above the max upload size
- For ease of reproducibility (ie., to avoid having to upload a 100MB file in order to reproduce this vuln), add the following line to your demo wiki's LocalSettings.php:
- $wgMaxUploadSize = 1024 * 1024; [1MB]
- Navigate to Special:UploadWizard.
- Select/Drag-and-drop a file to upload that's over 1MB in size.
[4] ...the popup that appears when attempting to import an image from Flickr that has an incompatible license
- Add the following lines (adapted from https://www.mediawiki.org/wiki/Extension:UploadWizard#Enabling_Flickr_uploads) to your demo wiki's LocalSettings.php, in order to allow the UploadWizard Flickr integration to work:
- $wgAllowCopyUploads = true;
- $wgGroupPermissions['user']['upload_by_url'] = true;
- $wgCopyUploadsDomains = ['*.flickr.com', '*.staticflickr.com'];
- $wgUploadWizardConfig['flickrApiKey'] = 'e9d8174a79c782745289969a45d350e8'; [I'm using the (public) Wikimedia Flickr API key to repro this, as Flickr is currently restricting the ability to create API keys to 'Pro' subscribers, and this key seems to work from my localhost demo wiki.]
- Navigate to Special:UploadWizard.
- Select 'Share images from Flickr'.
- Paste in the URL of a photo on Flickr that has a license marked as 'invalid' in this array (e.g., https://www.flickr.com/photos/zeeyolqpictures/45925416992).
- Click the 'Get from Flickr' button.
[5] ...the 'Any other information you want to include' field-label
- Navigate to Special:UploadWizard
- Select a file to upload.
- On the 'Release rights' step, select any values that allow you to get to the next stage, and click 'Next'. (The XSS occurs immediately after reaching the next stage - 'Describe'.)
[6] [7] ...the status-text that indicates the status of an upload in progress
- Follow the steps in [5] above.
- On the 'Describe' step, enter any value in the 'Description' & 'Date' fields.
- Click the 'Publish files' button. (The two XSSes here occur in quick succession, presumably depending on how long it takes the wiki to publish the file(s) after the information about them has been submitted.)
What happens?
In each case, you get XSSed: a JavaScript alertbox appears, indicating that - through overriding these system messages - the admin account with editinterface rights (but without editsitejs rights) has been able to inject JavaScript to be executed by the end-user's browser.
| [1] | [2] | [3] | [4] | [5] | [6] | [7] |
 |  |  |  |  |  |  |
What should have happened?
No XSSes (i.e. the alertboxes shouldn't've appeared).
Software versions
mw/core @ ce36ccce81
mw/exts/UploadWizard @ 2b5c27014c
mw/exts/TitleBlacklist @ 7efae546ae
Other information/Notes
- Someone else should verify these; but as far as I can currently see:
- Vuln [1] looks like it was introduced in https://gerrit.wikimedia.org/r/1043017 (i.e., REL1_43 / ae81c7894c onwards) for T366323.
- Vulns [2], [3] & [4] look like they were introduced in https://gerrit.wikimedia.org/r/1010228 (i.e., REL1_42 / cea10e89da onwards) for T355715. I'm not certain, but I believe an underlying cause of these two may have been the change to mw.errorDialog.js#15 (which wrapped the errorMessage variable within a new OO.ui.HtmlSnippet) without there also being changes to that function's callers (to escape system messages where necessary).
- Vuln [5] looks like it was introduced in https://gerrit.wikimedia.org/r/1036282 (i.e., REL1_43 / 3dbbf698e8 onwards) for T361061.
- Vulns [6] & [7] look like they were introduced in https://gerrit.wikimedia.org/r/328373 (i.e., REL1_29 / baa7dadef8 onwards) for T32095 / T152607.
- ccing @Cparle @matthiasmullie @mfossati as authors/reviewers of those patches FYI.
- I'm not sure if I've found all of the system message XSSes in UploadWizard here or not. Given what I've found here (and given this i18n-XSS patch from only a month ago for T402095), it might be worth doing a proper audit to check if there are any more of them within the extension.
