Javascript inject by anonymous users on private wikis with $wgRawHtml enabled
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• csteipp
	May 19 2014, 6:03 PM

Description

Omer Iqbal noticed that invalid usernames on Special:PasswordReset were parsed as wikitext.

Although this can't be abused on a typical wiki, in the very special case that a wiki has wgRawHtml enabled, and rely on limiting who can edit to prevent attackers from adding javascript, the username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled.

Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an xss crossing a privilege boundary.

The attack is additionally mitigated by default XFO rules preventing that special page from being used in an iframe, so the threat from this is very low.

Omer also reported the "html injection" directly to mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1012563

Version: unspecified
Severity: normal

Details

Reference: bz65501

Related Objects

Mentioned Here: rMW399f95577b00: (bug 13015, bug 18347, bug 18996, bug 20473, bug 23669, bug 28244) separate the…

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:24 AM

• bzimport added a project: MediaWiki-Special-pages.

• bzimport set Reference to bz65501.

• bzimport added a subscriber: Unknown Object (MLST).

• csteipp created this task.May 19 2014, 6:03 PM

Created attachment 15443
Escape username wikitext

When onSubmit returns an array, it's added to the output with, wfMessage( $msg, $params )->parse(), so that errors can contain wikitext.

This puts the username through wfEscapeWikiText. Having the function return a Status object instead of array would do the same thing, but a more complex patch that I would rather not do as a security fix.

Attached:

bug65501.patch1 KBDownload

Code-review:+1

*Probably* the second portion of the patch isn't necessary since $firstUser is a user object either from the database (which I hope wouldn't have any vulnerable names in it!) or User::newFromName with 'valid' validation mode (which I hope wouldn't allow through any vulnerable names!). But I doubt there's any harm in escaping it either, so better to be safe.

Cluster was patched today:
20:05 csteipp: fix deployed for bug 65501

Jeff, adding you since donatewiki has wgRawHtml enabled.

Markus, this was introduced in commit 399f9557, so 1.19-1.23 should probably get patched whenever you do the next release.

Patch applies nicely to REL1_19, REL1_21, REL1_22 and master. So it will be included in the next round on 28th May 2014. Tomorrow, I'll send out a pre-release announcement.

also, REL1_23 works well with the patch.

Gerrit bot probably can't comment here, but the patch for core was uploaded https://gerrit.wikimedia.org/r/#/c/136131/

Marking as fixed as it's been released by Markus today. Waiting on Jeff to confirm donatewiki has been patched before moving this out of the Security component.

awight deployed this patch over the weekend.

henri+wikimedia wrote:

CVE request: http://www.openwall.com/lists/oss-security/2014/06/03/7

Assigned CVE-2014-3966

• csteipp added a project: acl*security.Mar 26 2015, 8:39 PM

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM