Page MenuHomeMiraheze

Stored XSS in GlobalNewFiles (CVE-2021-39186)
Closed, ResolvedPublic

Description

Steps to reproduce:

  • Register a new account with the username " onclick="alert(document.domain)
  • Upload a new file
  • Visit Special:GlobalNewFiles (with a privileged account, if you want)
  • Click on the username

Results:

  • Clicking on the URL should lead into the user's CentralAuth page instead of executing JavaScript specified in the username

Recommended fix:

  • Use MediaWiki's own helpers (Html, LinkRenderer, ...) instead of hand-crafting urls, apply htmlspecialchars() where necessary
    • Quick example:
                        case 'files_user':
-                               $formatted = "<a href=\"/wiki/Special:CentralAuth/{$row->files_user}\">{$row->files_user}</a>";
+                               $formatted = MediaWikiServices::getInstance()->getLinkRenderer()->makeLink(
+                                       SpecialPage::getTitleFor( 'CentralAuth', $row->files_user ),
+                                       $row->files_user
+                               );
                                break;
  • Use static analysis tools such as Phan to find some (although not this one) security issues

Event Timeline

@Majavah: there should be an option above to create a private patch, please feel free to ^

RhinosF1 moved this task from Backlog to Bugs on the GlobalNewFiles board.
RhinosF1 moved this task from Backlog to Short Term on the MediaWiki (SRE) board.
RhinosF1 renamed this task from Stored XSS in GlobalNewFiles to Stored XSS in GlobalNewFiles (CVE-TBC).Sep 1 2021, 19:10
RhinosF1 closed this task as Resolved.
RhinosF1 changed the visibility from "Custom Policy" to "Public (No Login Required)".
RhinosF1 changed the edit policy from "Custom Policy" to "All Users".
RhinosF1 renamed this task from Stored XSS in GlobalNewFiles (CVE-TBC) to Stored XSS in GlobalNewFiles (CVE-2021-39186).EditedSep 1 2021, 20:50

GitHub has issued CVE-2021-39186 for this Security Advisory after reviewing reviewing it for compliance with CVE rules. Once you've published your Security Advisory, we'll publish the CVE to the CVE List.

Thank you for making the open source ecosystem more secure by fixing and responsibly disclosing this vulnerability.