Page MenuHomePhabricator
Create Task
Maniphest T85113

Function names aren't sanitized in Lua error backtraces
Closed, ResolvedPublic
Actions

Description

Function names in Scribunto's Lua error backtraces are displayed to the user without being sanitized, allowing XSS attacks. Proof-of-concept:

local p = {}

p['<script>alert("XSS")</script>'] = function()
	error('CLICK ME')
end

function p.main(frame)
	p['<script>alert("XSS")</script>']()
end

return p

If a user, in order to view the backtrace, clicks on the error message generated by invoking p.main(), the script will run.

Patch:

0001-SECURITY-Sanitize-the-content-of-Lua-backtraces.patch2 KBDownload

  • 1.24:
    0001-SECURITY-Sanitize-the-content-of-Lua-backtraces.patch2 KBDownload
  • 1.23:
    0001-SECURITY-Sanitize-the-content-of-Lua-backtraces.patch2 KBDownload

Affected Versions: (needed)
Type: xss
CVE: CVE-2015-2939

Details

SubjectRepoBranchLines +/-
SECURITY: Sanitize the content of Lua backtracesmediawiki/extensions/Scribuntomaster+10 -8
SECURITY: Sanitize the content of Lua backtracesmediawiki/extensions/ScribuntoREL1_23+10 -8
SECURITY: Sanitize the content of Lua backtracesmediawiki/extensions/ScribuntoREL1_24+10 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jackmcbarn created this task.Dec 21 2014, 9:07 PM
Jackmcbarn raised the priority of this task from to Unbreak Now!.
Jackmcbarn updated the task description. (Show Details)
Jackmcbarn added projects: Scribunto, acl*security.
Jackmcbarn changed Security from none to Software security bug.
Jackmcbarn subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 21 2014, 9:07 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Jackmcbarn added a comment.Dec 21 2014, 9:11 PM

git.diff1 KBDownload

The attached patch ensures that all text used in the backtrace is properly sanitized.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 21 2014, 9:11 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Jackmcbarn added a comment.Dec 22 2014, 5:23 PM

0001-SECURITY-Sanitize-the-content-of-Lua-backtraces.patch1 KBDownload

Same patch with full metadata.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 5:23 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Jackmcbarn added a comment.Dec 22 2014, 5:43 PM

0001-SECURITY-Sanitize-the-content-of-Lua-backtraces.patch2 KBDownload

After discussing with Anomie on IRC, change the messages so that they can contain wikitext, just not HTML.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 5:43 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie subscribed.Dec 22 2014, 7:04 PM

Deployed to the cluster in 1.25wmf12 and 1.25wmf13. Not sure what else needs doing.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 7:04 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a parent task: T87275: MediaWiki Security release 1.24.2.Jan 20 2015, 11:08 PM
csteipp closed this task as Resolved.Jan 20 2015, 11:15 PM
csteipp claimed this task.
csteipp subscribed.

We'll announce this with the 1.24.2 release.

csteipp updated the task description. (Show Details)Mar 17 2015, 11:55 PM
csteipp added a project: Vuln-XSS.
csteipp added subscribers: Grunny, ProgramCeltic.Mar 30 2015, 8:01 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:36 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:14 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
Ricordisamoa subscribed.Mar 31 2015, 9:27 PM
Kghbln subscribed.Mar 31 2015, 10:35 PM

Admittedly I am a bit confused here. The patches date from December 22, 2014 though the REL1_23 and REL1_24 branches were last touched December 17, 2014. Could somebody point me to the respective commits? Thanks and cheers

gerritbot subscribed.Mar 31 2015, 10:39 PM

Change 201055 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201055

gerritbot added a project: Patch-For-Review.Mar 31 2015, 10:39 PM
gerritbot added a comment.Mar 31 2015, 10:42 PM

Change 201056 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201056

gerritbot added a comment.Mar 31 2015, 10:43 PM

Change 201055 merged by CSteipp:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201055

gerritbot added a comment.Mar 31 2015, 10:43 PM

Change 201056 merged by CSteipp:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201056

Jackmcbarn mentioned this in rMEXT6d6588733f98: Updated mediawiki/extensions Project: mediawiki/extensions/Scribunto….Mar 31 2015, 10:43 PM
csteipp added a comment.Mar 31 2015, 10:44 PM
In T85113#1168651, @Kghbln wrote:

Admittedly I am a bit confused here. The patches date from December 22, 2014 though the REL1_23 and REL1_24 branches were last touched December 17, 2014. Could somebody point me to the respective commits? Thanks and cheers

Just a little slow getting them in. Should be there now.

csteipp mentioned this in rELUA9ac005b34808: SECURITY: Sanitize the content of Lua backtraces.Mar 31 2015, 10:44 PM
csteipp mentioned this in rELUAb060fbd3296e: SECURITY: Sanitize the content of Lua backtraces.
Kghbln added a comment.Apr 1 2015, 8:59 AM

Hey, great it has all happened. Thanks on ton. First I figured it was me. ;)

Kghbln awarded a token.Apr 1 2015, 8:59 AM
gerritbot added a comment.Apr 1 2015, 5:02 PM

Change 201226 had a related patch set uploaded (by CSteipp):
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201226

gerritbot added a comment.Apr 1 2015, 5:18 PM

Change 201226 merged by jenkins-bot:
SECURITY: Sanitize the content of Lua backtraces

https://gerrit.wikimedia.org/r/201226

Jackmcbarn mentioned this in rMEXT268e198716d3: Updated mediawiki/extensions Project: mediawiki/extensions/Scribunto….Apr 1 2015, 5:18 PM
csteipp mentioned this in rELUA6ffde66c77c0: SECURITY: Sanitize the content of Lua backtraces.Apr 1 2015, 5:19 PM
csteipp updated the task description. (Show Details)Apr 9 2015, 11:18 PM
Ricordisamoa removed a project: Patch-For-Review.Apr 10 2015, 1:50 AM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL