Function names aren't sanitized in Lua error backtraces
Closed, ResolvedPublic

Description

Function names in Scribunto's Lua error backtraces are displayed to the user without being sanitized, allowing XSS attacks. Proof-of-concept:

local p = {}

p['<script>alert("XSS")</script>'] = function()
	error('CLICK ME')
end

function p.main(frame)
	p['<script>alert("XSS")</script>']()
end

return p

If a user, in order to view the backtrace, clicks on the error message generated by invoking p.main(), the script will run.


Patch:

  • 1.24:
  • 1.23:

Affected Versions: (needed)
Type: xss
CVE: CVE-2015-2939

Jackmcbarn updated the task description. (Show Details)
Jackmcbarn raised the priority of this task from to Unbreak Now!.
Jackmcbarn changed Security from none to Software security bug.
Jackmcbarn added a subscriber: Jackmcbarn.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 21 2014, 9:07 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

The attached patch ensures that all text used in the backtrace is properly sanitized.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 21 2014, 9:11 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript


Same patch with full metadata.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 5:23 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

After discussing with Anomie on IRC, change the messages so that they can contain wikitext, just not HTML.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 5:43 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a subscriber: Anomie.Dec 22 2014, 7:04 PM

Deployed to the cluster in 1.25wmf12 and 1.25wmf13. Not sure what else needs doing.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 7:04 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp closed this task as Resolved.Jan 20 2015, 11:15 PM
csteipp claimed this task.
csteipp added a subscriber: csteipp.

We'll announce this with the 1.24.2 release.

csteipp updated the task description. (Show Details)Mar 17 2015, 11:55 PM
csteipp added a project: Vuln-XSS.
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:36 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:14 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
Kghbln added a subscriber: Kghbln.Mar 31 2015, 10:35 PM

Admittedly I am a bit confused here. The patches date from December 22, 2014 though the REL1_23 and REL1_24 branches were last touched December 17, 2014. Could somebody point me to the respective commits? Thanks and cheers

Change 201055 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201055

Change 201056 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201056

Change 201055 merged by CSteipp:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201055

Change 201056 merged by CSteipp:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201056

Admittedly I am a bit confused here. The patches date from December 22, 2014 though the REL1_23 and REL1_24 branches were last touched December 17, 2014. Could somebody point me to the respective commits? Thanks and cheers

Just a little slow getting them in. Should be there now.

Kghbln added a comment.Apr 1 2015, 8:59 AM

Hey, great it has all happened. Thanks on ton. First I figured it was me. ;)

Kghbln awarded a token.Apr 1 2015, 8:59 AM

Change 201226 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201226

Change 201226 merged by jenkins-bot:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201226

csteipp updated the task description. (Show Details)Apr 9 2015, 11:18 PM