Wikibase inserts parsed system messages into autocomments by using the FormatAutocomments hook. This allows for XSS, because it is not safe to pass parsed HTML to the comment parser.
Fortunately, this is no longer exploitable by unprivileged users since the message arguments were wikitext-escaped in 2017 due to T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items (whether it was actually exploitable before that depends on whether users were able to insert angle brackets into the arguments, which in turn depends on what data was actually used in the parameters).
Reproduction steps
- Enable WikibaseRepository (see the Additional information section regarding WikibaseClient)
- Edit MediaWiki:Wikibase-entity-summary-wbsetdescription-set and set its contents to <pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>
- Edit the description of an item
- Go to the revision history of the item
The payload will also be executed in other places that render edit summaries, like Special:RecentChanges.
Explanation
By including wiki link syntax in the attribute of an element that is passed to CommentParser::doWikiLinks, it's possible to insert arbitrary HTML attributes in the element, because the CommentParser will insert the link element into the attribute (see also T355538 and T406664).
Normal HTML elements created by the Parser will escape characters like [ to prevent XSS through link replacement. However, <pre> creates the element using Html::element and inserts it using a strip marker, which will be unstripped in internalParseHalfParsed, which means that we can insert square brackets into attributes.
The parsed message is appended to the autocomment here. After this, the CommentParser will replace the link syntax with the HTML link, thereby creating unsafe HTML which executes the payload.
As far as I can see, all messages that are used here (presumably all 59 starting with wikibase-entity-summary-) can be abused for this.
Additional information
- MediaWiki: 1.46.0-alpha
- WikibaseRepository: 686238a
This is not fixed by the patch for T406664 because text inserted via the hook bypasses the mitigation.
This is also exploitable with WikibaseClient, which also handles custom autocomments using the hook, and doesn't even check for the namespace while doing so (which means that the user can insert edit summaries that match the regex the AutoCommentFormatter requires). However, it isn't easy to perform XSS this way because it requires $wikiId to be set, which will cause the CommentParser to only create external links (apart from file links, which weren't exploitable either when I tried this). If $wgExternalInterwikiFragmentMode is set to legacy (the default value), any external links generated by the CommentParser will url-encode = in the path and the fragment, which means only boolean attributes can be used. With $wgExternalInterwikiFragmentMode = 'html5'; however, this vulnerability is likely also exploitable with WikibaseClient.
