Reflected XSS in api.php using wddx formatting
Closed, ResolvedPublic

Description

FINDING ID: iSEC-WMF1214-8

DESCRIPTION: The API supports multiple data output formats, some of which have recently been
deprecated. The wddx output format will return a response with Content-Type: text/xml . The
response always indicates that the wddx output format has been deprecated and instructs the API
user to use the json format instead. However, if an API request with this output format is sent to
api.php with an invalid parameter, the response will also include an error message that reflects the
user-supplied parameter without any output encoding. This allows an attacker to inject XML, which
can be used to trick the browser into interpreting the response as XHTML and executing injected
JavaScript. To exploit this vulnerability, an attacker can craft a simple URL that, when clicked by
a MediaWiki user, will execute arbitrary JavaScript in their browser session for that domain. The
following URL will execute JavaScript that pops up an alert window on the resulting MediaWiki page,
demonstrating a reflected XSS attack.

http://devwiki/w/api.php?action=flow&format=wddx&submodule=invalid%3C/string%3E%3Cfoo%3E%0A%3Chtml%20xmlns%3ahtml%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3E%0A%20%3Chtml%3ascript%3Ealert(%22Reflected%20XSS!%22)%3b%3C%2fhtml%3ascript%3E%0A%3C%2fhtml%3E%0A%3C%2ffoo%3E%3Cstring%3E&page=User_talk%3AAdmin&ntreplyTo=&nttopic=Flow&ntcontent=flowwwww&token=3b44a9711080c52414b4d1f05682590554a1ead0%2B

This exploit works on several browsers that iSEC tested and bypasses Chrome's anti-XSS filters, making
it especially effective.


Patch:

  • 1.24:

Affected Versions: MediaWiki on HHVM before 3.6.1
Type: xss
CVE: CVE-2015-2941

csteipp created this task.Jan 5 2015, 8:49 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to High.
csteipp changed the visibility from "Public (No Login Required)" to "Security (Project)".
csteipp changed the edit policy from "All Users" to "Security (Project)".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Anomie.
Restricted Application changed the visibility from "Security (Project)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 8:49 PM
Restricted Application changed the edit policy from "Security (Project)" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 5 2015, 8:55 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Jan 5 2015, 9:05 PM

This appears to only affects HHVM, and should be fixed by the upstream change https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34 that fixed T75531.

It should also be fixed by Gerrit change 181580 which implemented a better workaround in MediaWiki for the HHVM bug behind T75531.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:05 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:06 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:07 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added subscribers: Joe, ori.Jan 7 2015, 6:14 PM

This appears to only affects HHVM, and should be fixed by the upstream change https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34 that fixed T75531.

@Joe, @ori, what's the process for getting hhvm upgraded on the cluster?

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 7 2015, 6:14 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Jan 8 2015, 2:07 PM

I note that testwiki is no longer exhibiting the vulnerability, now that it is on 1.25wmf14 (which includes Gerrit change 181580)

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 8 2015, 2:07 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

It should also be fixed by Gerrit change 181580 which implemented a better workaround in MediaWiki for the HHVM bug behind T75531.

Should we backport this for people who might be running older HHVM versions?

If we do decide to backport it (since it only affects certain versions of HHVM, maybe we shouldn't), only the changes in https://gerrit.wikimedia.org/r/#/c/181580/7/includes/api/ApiFormatWddx.php are needed. And, for that matter, only ApiFormatWddx::useSlowPrinter() and the change on line 41 to use it are needed.

Haven't been able to install an older version of HHVM to test it.

You've got a few extraneous changes in there (the two spacing-change bits at the end of the first block). Otherwise it looks like it should do it.

You've got a few extraneous changes in there (the two spacing-change bits at the end of the first block). Otherwise it looks like it should do it.

removes the spacing changing.

removes the spacing changing.

Code-Review: +1

Anomie moved this task from Unsorted to Needs Review on the MediaWiki-API board.Feb 19 2015, 6:04 PM
csteipp updated the task description. (Show Details)Mar 18 2015, 12:09 AM
csteipp added a project: Vuln-XSS.
csteipp updated the task description. (Show Details)Mar 28 2015, 5:27 AM
csteipp closed this task as Resolved.
csteipp claimed this task.
bd808 moved this task from Backlog to Done on the MediaWiki-Core-Team board.Mar 30 2015, 7:21 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:37 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:15 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

Change 201020 had a related patch set uploaded (by CSteipp):
SECURITY: Fix reflected XSS in API with wddx output under HHVM

https://gerrit.wikimedia.org/r/201020

Change 201020 merged by jenkins-bot:
SECURITY: Fix reflected XSS in API with wddx output under HHVM

https://gerrit.wikimedia.org/r/201020

csteipp updated the task description. (Show Details)Apr 9 2015, 11:26 PM

CVE assignment:

It seems that the major concern here is the HHVM vulnerability fixed
by the
https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34
commit. Use CVE-2014-9714 for that HHVM vulnerability.

As far as we can tell, T85851 is recommending
https://gerrit.wikimedia.org/r/#/c/201020/1/includes/api/ApiFormatWddx.php,unified
as a vulnerability fix for MediaWiki deployments that use an older
version of HHVM. Use CVE-2015-2941 for this MediaWiki vulnerability in
which unsafe calls to wddx_serialize_value can occur.