Page MenuHomePhabricator

Arbitrary HTML output possible
Closed, ResolvedPublic


Widgets is inherently insecure as it trusts the base64 encoded content on the page to be safe to decode and output. Its first line of "defense" is to include a laughably easy to obtain secret key along with the encoded content (see T41883). Next is to mark the content as HTML which shouldn't be parsed so it is hidden in the parser with a UNIQ marker. This defense is an improvement as you need to have a way to retrieve the content which the UNIQ marker represents to be able to then obtain the secret key. Prior to T63268 being fixed, this could be accomplished with Scribunto's mw.text.unstrip function. So while this isn't an issue for sites using a more recent version of Scribunto, it is for previous versions, and if any other method can be found to reveal the content behind the UNIQ marker, it will be insecure again.

The solution is to stop trying to hide the insecurity, and instead not be insecure in the first place by not trusting the content on the page. The way to do this is simple, and is the same as what the UNIQ marker already does: store an index on the page, and use that to retrieve the content from an array. This will also be faster as it doesn't have to pointlessly base64 encode and decode the content.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Feb 9 2015, 9:27 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Majr updated the task description. (Show Details)
Majr changed Security from None to Software security bug.
Majr edited subscribers, added: Majr; removed: Aklapper.

Why did you upload a public patch for a private security bug?

Thanks for reporting and contributing a patch for this @Majr.

In the future, please do attach security patches here in Phabricator instead of uploading them to gerrit. I realized didn't make that explicit, so I've updated the documentation there.

We're due for a mediawiki release in the near future, so we'll include the announcement for this when we do that release. Even though this isn't run by the WMF (that I know of), it looks like it has a fairly large number of users on wikiapiary.

Since that page didn't say anything special for security patches, the patch itself doesn't demonstrate or give any hints as to how to exploit the bug, and it's been like this for over two years and requires an old version of Scribunto or an old version of Widgets, it didn't seem like it'd matter much.

I'll be sure to upload the patch here in the future. :)

@JeroenDeDauw or @Yaron_Koren, would one of you be able to merge I'd like to announce this update next week.

I merged in the patch a while ago - closing this bug now.

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 10:00 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

CVE-2015-6737 was assigned for this.