Page MenuHomePhabricator
Projects Vuln-XSS

Vuln-XSSTag
ActivePublic
Watch Project

Members (1)

Watchers (4)

Details

Description

This tag is used to group security bugs by their general classification. These bugs allow an attacker to run JavaScript in another user's browser (Cross-site Scripting / XSS). See OWASP Top 10 2017 - A7

Parent project: Security-Team

Recent Activity
View All

Mon, Nov 18

matmarex added a comment to T379677: FancyCaptcha uses unescaped i18n messages.

Thanks!

Mon, Nov 18, 5:13 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
sbassett moved T379677: FancyCaptcha uses unescaped i18n messages from Incoming to Our Part Is Done on the Security-Team board.
Mon, Nov 18, 4:44 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
sbassett closed T379677: FancyCaptcha uses unescaped i18n messages as Resolved.
Mon, Nov 18, 4:40 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
sbassett updated subscribers of T379677: FancyCaptcha uses unescaped i18n messages.
In T379677#10332098, @matmarex wrote:

Resolved now, right? Or are you waiting for the MW release to close this?

Mon, Nov 18, 4:40 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
matmarex added a comment to T379677: FancyCaptcha uses unescaped i18n messages.

Resolved now, right? Or are you waiting for the MW release to close this?

Mon, Nov 18, 4:28 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team

Thu, Nov 14

Jdforrester-WMF added a project to T377222: Don’t use raw HTML messages in safe mode: MW-1.44-notes (1.44.0-wmf.4; 2024-11-19).
Thu, Nov 14, 3:01 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
gerritbot added a comment to T377222: Don’t use raw HTML messages in safe mode.

Change #1090551 merged by jenkins-bot:

[mediawiki/extensions/WikibaseMediaInfo@master] Avoid unnecessary use of RawHtmlMessages

https://gerrit.wikimedia.org/r/1090551

Thu, Nov 14, 2:46 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Wed, Nov 13

sbassett added a parent task for T379677: FancyCaptcha uses unescaped i18n messages: Restricted Task.
Wed, Nov 13, 3:26 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
Tgr added a comment to T379677: FancyCaptcha uses unescaped i18n messages.

Pushed as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ConfirmEdit/+/1090816

Wed, Nov 13, 10:48 AM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team

Tue, Nov 12

sbassett updated subscribers of T379677: FancyCaptcha uses unescaped i18n messages.
In T379677#10314397, @Tgr wrote:

T379677.patch1 KBDownload

Tue, Nov 12, 10:11 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team
gerritbot added a comment to T377222: Don’t use raw HTML messages in safe mode.

Change #1090551 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikibaseMediaInfo@master] Avoid unnecessary use of RawHtmlMessages

https://gerrit.wikimedia.org/r/1090551

Tue, Nov 12, 9:47 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Tgr added a project to T379677: FancyCaptcha uses unescaped i18n messages: Vuln-XSS.
Tue, Nov 12, 9:07 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-Platform-Team, ConfirmEdit (CAPTCHA extension), Security, Security-Team

Fri, Nov 1

gerritbot added a comment to T377222: Don’t use raw HTML messages in safe mode.

Change #1085432 merged by jenkins-bot:

[mediawiki/extensions/StopForumSpam@master] Remove stopforumspam-is-blocked message from RawHtmlMessages array

https://gerrit.wikimedia.org/r/1085432

Fri, Nov 1, 3:24 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Thu, Oct 31

gerritbot added a comment to T377222: Don’t use raw HTML messages in safe mode.

Change #1085432 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/StopForumSpam@master] Remove stopforumspam-is-blocked message from RawHtmlMessages array

https://gerrit.wikimedia.org/r/1085432

Thu, Oct 31, 4:35 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
sbassett added a comment to T377222: Don’t use raw HTML messages in safe mode.
In T377222#10279264, @Tgr wrote:
In T377222#10279189, @sbassett wrote:

It still has <strong> tags and is parsed due to the wikitext links. I guess one could argue that the <strong> tags are superfluous.

But it's parsed so it's safe HTML, not raw HTML.

Thu, Oct 31, 4:32 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
mmartorana changed the visibility for T377222: Don’t use raw HTML messages in safe mode.
Thu, Oct 31, 3:12 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Wed, Oct 30

Tgr added a comment to T377222: Don’t use raw HTML messages in safe mode.
In T377222#10279189, @sbassett wrote:

It still has <strong> tags and is parsed due to the wikitext links. I guess one could argue that the <strong> tags are superfluous.

Wed, Oct 30, 9:33 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
sbassett added a comment to T377222: Don’t use raw HTML messages in safe mode.
In T377222#10278803, @Tgr wrote:
  • stopforumspam-is-blocked (20bb7d1d - seems wrong? the message is not actually HTML)
Wed, Oct 30, 9:13 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Bawolff added a comment to T377222: Don’t use raw HTML messages in safe mode.

The copyright footer is not shown on Special:UserLogin, nor (as far as I can tell) on any other page that has JS disabled;

Wed, Oct 30, 8:32 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Tgr added a comment to T377222: Don’t use raw HTML messages in safe mode.

Raw HTML messages not listed in T377222#10241289 but found by codesearch:

  • stopforumspam-is-blocked (20bb7d1d - seems wrong? the message is not actually HTML)
  • donate_interface-otherways (it's a Wikimedia-specific extension, only used on a very locked down wiki, so probably fine? still, seems easy to replace)
  • wikibasemediainfo-time-timestamp-formatted (96e5a07e - no good reason for it to use raw HTML)
Wed, Oct 30, 7:59 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Tgr added a comment to T377222: Don’t use raw HTML messages in safe mode.

HTML in copyright messages is a legacy feature at this point. I don't think it makes sense to expend any effort on sanitizing it when security-conscious installations can just disable it.
(We should probably make it default to disabled in the next release, though.)

Wed, Oct 30, 6:44 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T377222: Don’t use raw HTML messages in safe mode.

A related thought I had today: do we disable raw HTML messages on Special:UserLogin and related pages? Because not loading user or site scripts on those special pages is a security feature, I believe (we don’t want to let interface admins steal user’s passwords).

Wed, Oct 30, 5:28 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Tue, Oct 29

Tgr added a comment to T377222: Don’t use raw HTML messages in safe mode.

In theory since T45646: "MediaWiki:Copyright" message allows raw HTML we haven't been using most of these messages in Wikimedia production. $wgAllowRawHtmlCopyrightMessages (already false) should disable all the copyright-related ones (in favor of wikimedia-copyright-footer etc) except the MobileFrontend one which is not raw HTML anymore (fe15e9c776). googlesearch is unreachable. gadgets-definition is irrelevant. That leaves the various non-copyright mobile-frontend-* messages. Probably we can just fix those?

Tue, Oct 29, 7:25 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Sat, Oct 26

Tgr added a parent task for T45646: "MediaWiki:Copyright" message allows raw HTML: T367995: Security Preview for shared login domain.
Sat, Oct 26, 7:11 PM · MW-1.43-notes (1.43.0-wmf.26; 2024-10-08), Patch-For-Review, JsonConfig, WikimediaMessages, MediaWiki-Platform-Team, SUL3, I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Oct 22 2024

sbassett added a comment to T377168: XSS - codesearch.wmcloud.org.

Hall of fame update deployed: codfw, eqiad.

Oct 22 2024, 3:41 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
gerritbot added a comment to T377168: XSS - codesearch.wmcloud.org.

Change #1082089 merged by Mmartorana:

[operations/deployment-charts@master] Update miscweb: security-landing-page to latest image tag

https://gerrit.wikimedia.org/r/1082089

Oct 22 2024, 3:26 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T377222: Don’t use raw HTML messages in safe mode.

Sure, fine by me.

Oct 22 2024, 8:18 AM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team

Oct 21 2024

gerritbot added a comment to T377168: XSS - codesearch.wmcloud.org.

Change #1082089 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/deployment-charts@master] Update miscweb: security-landing-page to latest image tag

https://gerrit.wikimedia.org/r/1082089

Oct 21 2024, 9:08 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
sbassett added a comment to T377222: Don’t use raw HTML messages in safe mode.
In T377222#10248420, @Bawolff wrote:

Also this seems more like a feature request than a security issue. Maybe this should be made public so a broader group can comment on it.

Oct 21 2024, 9:02 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Bawolff added a comment to T377222: Don’t use raw HTML messages in safe mode.

Also this seems more like a feature request than a security issue. Maybe this should be made public so a broader group can comment on it.

Oct 21 2024, 8:59 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Bawolff added a comment to T377222: Don’t use raw HTML messages in safe mode.

I feel like safemode would be difficult to use as a security feature. Its not sticky, users would have to manually type in the url of every page. edit: appearently this is a user preference now, which maybe changes things with regards to how much it makes sense as a security feature.

Oct 21 2024, 5:10 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T377222: Don’t use raw HTML messages in safe mode.
In T377222#10243566, @sbassett wrote:

@Lucas_Werkmeister_WMDE - Is this more about the convenience of having a query param to disable certain messages or is it more about trying to expand the security posture of safemode as @Krinkle alluded to? The former would likely have a simple solution, but I'd probably agree that, if it were to be implemented, it should never be enabled in Wikimedia production.

Oct 21 2024, 4:33 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
CodeReviewBot added a comment to T377168: XSS - codesearch.wmcloud.org.

mmartorana merged https://gitlab.wikimedia.org/repos/sre/miscweb/security-landing-page/-/merge_requests/6

Oct 21 2024, 4:10 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
sbassett moved T377222: Don’t use raw HTML messages in safe mode from Incoming to Watching on the Security-Team board.
Oct 21 2024, 3:58 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
sbassett assigned T193982: legends in htmlform (including Special:Preferences headers) use raw html messages to matmarex.
Oct 21 2024, 3:11 PM · MediaWiki-Internationalization, MediaWiki-User-management, SecTeam-Processed, Security, Vuln-XSS
sbassett changed the visibility for T193982: legends in htmlform (including Special:Preferences headers) use raw html messages.
Oct 21 2024, 3:11 PM · MediaWiki-Internationalization, MediaWiki-User-management, SecTeam-Processed, Security, Vuln-XSS

Oct 18 2024

matmarex closed T193982: legends in htmlform (including Special:Preferences headers) use raw html messages as Resolved.

I can't reproduce any of the problems today.

Oct 18 2024, 9:37 PM · MediaWiki-Internationalization, MediaWiki-User-management, SecTeam-Processed, Security, Vuln-XSS
matmarex updated the task description for T193982: legends in htmlform (including Special:Preferences headers) use raw html messages.
Oct 18 2024, 8:56 PM · MediaWiki-Internationalization, MediaWiki-User-management, SecTeam-Processed, Security, Vuln-XSS
sbassett added a comment to T377222: Don’t use raw HTML messages in safe mode.

@Lucas_Werkmeister_WMDE - Is this more about the convenience of having a query param to disable certain messages or is it more about trying to expand the security posture of safemode as @Krinkle alluded to? The former would likely have a simple solution, but I'd probably agree that, if it were to be implemented, it should never be enabled in Wikimedia production.

Oct 18 2024, 8:54 PM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
CodeReviewBot added a project to T377168: XSS - codesearch.wmcloud.org: Patch-For-Review.

sbassett opened https://gitlab.wikimedia.org/repos/sre/miscweb/security-landing-page/-/merge_requests/6

Oct 18 2024, 5:00 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
sbassett closed T377168: XSS - codesearch.wmcloud.org as Resolved.
Oct 18 2024, 3:57 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
sbassett moved T377168: XSS - codesearch.wmcloud.org from Watching to Our Part Is Done on the Security-Team board.
Oct 18 2024, 3:54 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
sbassett added a comment to T377168: XSS - codesearch.wmcloud.org.
In T377168#10242168, @Mic1337bie wrote:

Can I ask about your CVE processes (CVE assign process)?

Oct 18 2024, 3:53 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
Mic1337bie added a comment to T377168: XSS - codesearch.wmcloud.org.

Hi, I can confirm that it is already fixed (can not reproduce from POCs). I am impressed, so quick action. Professional and responsible approach.

Oct 18 2024, 2:30 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T377222: Don’t use raw HTML messages in safe mode.

IMHO this would be pointless if restricted to $wgAllowRawHtmlCopyrightMessages, as there are other raw messages. $wgRawHtmlMessages is still a small set of messages, but only about half of them are copyright-related.

Oct 18 2024, 10:12 AM · MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), SecTeam-Processed, Vuln-XSS, Vuln-Misconfiguration, I18n, MediaWiki-Internationalization, Security, Security-Team
Aklapper added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.

@Bugreporter2: Please bring this up in T318435 (and I don't see some "committee" ever mentioned) - thanks.

Oct 18 2024, 6:27 AM · MW-1.43-notes (1.43.0-wmf.26; 2024-10-08), Patch-For-Review, JsonConfig, WikimediaMessages, MediaWiki-Platform-Team, SUL3, I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General
Bugreporter2 added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.

Thanks to all who have worked on fixing this.

Oct 18 2024, 6:10 AM · MW-1.43-notes (1.43.0-wmf.26; 2024-10-08), Patch-For-Review, JsonConfig, WikimediaMessages, MediaWiki-Platform-Team, SUL3, I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General
Bugreporter2 added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.
Oct 18 2024, 6:04 AM · MW-1.43-notes (1.43.0-wmf.26; 2024-10-08), Patch-For-Review, JsonConfig, WikimediaMessages, MediaWiki-Platform-Team, SUL3, I18n, Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General

Oct 16 2024

gerritbot added a comment to T377168: XSS - codesearch.wmcloud.org.

Change #1080836 had a related patch set uploaded (by Brian Wolff; author: Brian Wolff):

[labs/codesearch@master] Use a CSP policy to reduce risk of XSS

https://gerrit.wikimedia.org/r/1080836

Oct 16 2024, 11:39 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
gerritbot added a comment to T377168: XSS - codesearch.wmcloud.org.

Change #1080829 merged by jenkins-bot:

[labs/codesearch@master] SECURITY: Escape slashes in json to prevent XSS.

https://gerrit.wikimedia.org/r/1080829

Oct 16 2024, 11:02 PM · Patch-For-Review, SecTeam-Processed, cloud-services-team, VPS-project-Codesearch, Vuln-XSS, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits