Page MenuHomeMiraheze
Create Task
Maniphest T8609

XSS in ShortDescription extension
Closed, ResolvedPublic
Actions

Description

On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is acheived using the wikitext {{SHORTDESC:<img src=x onerror=alert()>}}. This is due to the function sanitize() in ParserHooks.php which returns trim( html_entity_decode( strip_tags( $shortDesc ), ENT_QUOTES, 'utf-8' ) ); This strips HTML tags, of which there are none in the payload due to being encoded representations, and then the encoded entities are decoded to the actual characters. It's not clear to me why html_entity_decode is called or what this function is trying to achieve, I think it makes more sense to just do trim( htmlspecialchars( $shortDesc );. Note: this won't apply retroactively to page props that already exist in the DB, so it wouldn't fix the vulnerability in the case that someone had already exploited it.

Event Timeline

Dylsss created this task.Jan 16 2022, 00:17
Herald added subscribers: Agent_Isai, Unknown Object (User), RhinosF1 and 2 others. · View Herald TranscriptJan 16 2022, 00:17
Dylsss renamed this task from XSS in ShortDescription to XSS in ShortDescription extension.Jan 16 2022, 00:24
Dylsss added a project: Extensions.
Herald added projects: Universal Omega, MediaWiki (SRE). · View Herald TranscriptJan 16 2022, 00:24
Unknown Object (User) added a comment.Jan 16 2022, 00:41

The extension has been disabled temporarily until it is patched and further steps can be taken. Thank you for the report.

Dylsss added a subscriber: Alistair3149.Jan 16 2022, 00:54

Adding maintainer.

Alistair3149 added a comment.Jan 16 2022, 06:19

Thanks for letting me know!

The original sanitization code came from the Wikibase extension.
html_entity_decode is called because clients are not necessarily HTML-based and using HTML tags as part of the description (i.e. with <nowiki> or such) should be possible.

I can do the sanitization on the JS side but I am not sure how to approach it with the page props table. Would you have some suggestion on it?

Dylsss added a comment.Jan 18 2022, 19:46

I see. This should be fine then, escapes the use on the page and in the info action. I don't think it's output unescaped anywhere else.

diff --git a/includes/Hooks/ActionsHooks.php b/includes/Hooks/ActionsHooks.php
index 053b75d..9109e46 100644
--- a/includes/Hooks/ActionsHooks.php
+++ b/includes/Hooks/ActionsHooks.php
@@ -32,7 +32,7 @@ class ActionsHooks implements InfoActionHook {
 
 		$pageInfo['header-basic'][] = [
 			$context->msg( 'shortdescription-info-label' ),
-			$shortdesc
+			htmlspecialchars( $shortdesc )
 		];
 	}
 }
diff --git a/modules/ext.shortDescription.js b/modules/ext.shortDescription.js
index f6e1d33..6cc87c7 100644
--- a/modules/ext.shortDescription.js
+++ b/modules/ext.shortDescription.js
@@ -7,7 +7,7 @@ function main() {
 		// Wikipedia uses shortdescription class
 		// Added for gadgets and extension compatibility
 		tagline.classList.add( 'ext-shortdesc', 'shortdescription' );
-		tagline.innerHTML = shortdesc;
+		tagline.innerHTML = mw.html.escape( shortdesc );
 	}
 }
Reception123 lowered the priority of this task from High to Normal.Jan 20 2022, 07:42
Reception123 added a project: Upstream.

This needs to be fixed upstream and since there's nothing further that can be done by Miraheze I don't see why it should be High priority.

Reception123 added a comment.Jan 20 2022, 09:15

@Dylsss Are you planning on making an upstream task/CR?

Unknown Object (User) added a comment.Jan 20 2022, 09:42
In T8609#174982, @Reception123 wrote:

@Dylsss Are you planning on making an upstream task/CR?

I talked with the developer. They plan to push a patch tomorrow.

Reception123 added a comment.Jan 20 2022, 10:20
In T8609#174988, @Universal_Omega wrote:
In T8609#174982, @Reception123 wrote:

@Dylsss Are you planning on making an upstream task/CR?

I talked with the developer. They plan to push a patch tomorrow.

Great!

Reception123 changed the task status from Open to Stalled.Jan 21 2022, 08:28

Stalling until patch is available as there's nothing we can do until then

Unknown Object (User) changed the task status from Stalled to Open.Jan 21 2022, 08:42

@Alistair3149 has just told me it should be fixed now. We should update.

Reception123 assigned this task to Unknown Object (User).Jan 21 2022, 11:28

Updated. Assigning @Universal_Omega to review again before re-enabling.

Unknown Object (User) closed this task as Resolved.Jan 21 2022, 23:38

Re-enabled extension. Thank you for this report. If there are no objections (@Alistair3149?) this task could be made public.

Unknown Object (User) moved this task from Backlog to Actions Needed (Review) on the Extensions board.Jan 21 2022, 23:39
Unknown Object (User) moved this task from Actions Needed (Review) to Deployed Extension Bugs on the Extensions board.
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.
Unknown Object (User) added a comment.Jan 28 2022, 19:25

CVE-2022-21710

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 3 2022, 13:14
John changed the edit policy from "Custom Policy" to "All Users".
Dmehus subscribed.Apr 3 2022, 17:10