Page MenuHomePhabricator
Create Task
Maniphest T88964

Arbitrary HTML output possible
Closed, ResolvedPublic
Actions

Description

Widgets is inherently insecure as it trusts the base64 encoded content on the page to be safe to decode and output. Its first line of "defense" is to include a laughably easy to obtain secret key along with the encoded content (see T41883). Next is to mark the content as HTML which shouldn't be parsed so it is hidden in the parser with a UNIQ marker. This defense is an improvement as you need to have a way to retrieve the content which the UNIQ marker represents to be able to then obtain the secret key. Prior to T63268 being fixed, this could be accomplished with Scribunto's mw.text.unstrip function. So while this isn't an issue for sites using a more recent version of Scribunto, it is for previous versions, and if any other method can be found to reveal the content behind the UNIQ marker, it will be insecure again.

The solution is to stop trying to hide the insecurity, and instead not be insecure in the first place by not trusting the content on the page. The way to do this is simple, and is the same as what the UNIQ marker already does: store an index on the page, and use that to retrieve the content from an array. This will also be faster as it doesn't have to pointlessly base64 encode and decode the content.

Details

SubjectRepoBranchLines +/-
Fix possibility for arbitrary HTML outputmediawiki/extensions/Widgetsmaster+23 -22
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedMajrT88964 Arbitrary HTML output possible

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Feb 9 2015, 9:27 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2015, 9:27 AM
Majr created this task.Feb 9 2015, 9:27 AM
Majr updated the task description. (Show Details)
Majr added projects: MediaWiki-extensions-Widgets, acl*security.
Majr changed Security from None to Software security bug.
Majr edited subscribers, added: Majr; removed: Aklapper.
Majr updated the task description. (Show Details)Feb 9 2015, 10:00 AM
Majr claimed this task.Feb 9 2015, 10:07 AM

https://gerrit.wikimedia.org/r/#/c/189449/

Krenair subscribed.Feb 9 2015, 5:19 PM

Why did you upload a public patch for a private security bug?

csteipp subscribed.Feb 9 2015, 5:44 PM

Thanks for reporting and contributing a patch for this @Majr.

In the future, please do attach security patches here in Phabricator instead of uploading them to gerrit. I realized https://www.mediawiki.org/wiki/Reporting_security_bugs didn't make that explicit, so I've updated the documentation there.

We're due for a mediawiki release in the near future, so we'll include the announcement for this when we do that release. Even though this isn't run by the WMF (that I know of), it looks like it has a fairly large number of users on wikiapiary.

Majr added a comment.Feb 9 2015, 11:41 PM

Since that page didn't say anything special for security patches, the patch itself doesn't demonstrate or give any hints as to how to exploit the bug, and it's been like this for over two years and requires an old version of Scribunto or an old version of Widgets, it didn't seem like it'd matter much.

I'll be sure to upload the patch here in the future. :)

csteipp added a comment.Feb 21 2015, 12:54 AM

@JeroenDeDauw or @Yaron_Koren, would one of you be able to merge https://gerrit.wikimedia.org/r/#/c/189449/? I'd like to announce this update next week.

csteipp added subscribers: JeroenDeDauw, Yaron_Koren.Feb 21 2015, 12:54 AM
Nemo_bis mentioned this in rEWIDabea2b883d6b: Fix possibility for arbitrary HTML output.Mar 4 2015, 5:49 PM
Majr mentioned this in rMEXT2515475631cc: Updated mediawiki/extensions Project: mediawiki/extensions/Widgets….Mar 11 2015, 6:28 AM
csteipp added a parent task: Restricted Task.Mar 19 2015, 9:28 PM
Yaron_Koren added a comment.Apr 29 2015, 3:29 AM

I merged in the patch a while ago - closing this bug now.

Yaron_Koren closed this task as Resolved.Apr 29 2015, 3:29 AM
demon mentioned this in T100211: Reset of transcode does not queue new transcode.Jul 14 2015, 1:05 AM
csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:34 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 10:00 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
csteipp added projects: Security-Extensions, Vuln-XSS.Aug 20 2015, 9:32 PM
Krenair added a comment.Aug 31 2015, 1:14 AM

CVE-2015-6737 was assigned for this.

Kghbln moved this task from Backlog to Resolved tasks on the MediaWiki-extensions-Widgets board.Jan 7 2016, 12:33 PM
Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 7 2016, 12:33 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL