Maniphest T320785

XSS in Special:Search
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Joe
	Oct 14 2022, 9:21 AM

Description

This bug was reported to security@ by Sheldon Menezes (samymenezes33@gmail.com)

Steps to reproduce:

write '><script>alert(document.domain)</script> in a search box
the response will evaluate the javascript

Details

Risk Rating: High
Author Affiliation: Other (Please specify in description)

Subject	Repo	Branch	Lines +/-
Add Sheldon Menezes to security hall of fame (build step)	wikimedia/security/landing-page	master	+7 -0
Add Sheldon Menezes to security hall of fame for reporting XSS in Special:Search	wikimedia/security/landing-page	master	+8 -0
SECURITY: Fix XSS in DYM	mediawiki/core	master	+2 -1

Customize query in gerrit

Event Timeline

Joe created this task.Oct 14 2022, 9:21 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 14 2022, 9:21 AM

Joe triaged this task as Unbreak Now! priority.Oct 14 2022, 9:33 AM

Zabe subscribed.Oct 14 2022, 9:39 AM

taavi added a project: Vuln-XSS.Oct 14 2022, 9:40 AM

taavi subscribed.

patch uploaded to deploy1002:~dcausse/T320785.patch

From 9869e7b749eb51bddee41cc713c69eacf47b3284 Mon Sep 17 00:00:00 2001
From: David Causse <dcausse@wikimedia.org>
Date: Fri, 14 Oct 2022 11:40:47 +0200
Subject: [PATCH] Fix XSS in DYM

Bug: T320785
Change-Id: Ib9e2da2291b9936f3f1646322c9a14acec37738c
---
 includes/search/searchwidgets/DidYouMeanWidget.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/includes/search/searchwidgets/DidYouMeanWidget.php b/includes/search/searchwidgets/DidYouMeanWidget.php
index 9dd4e1f6683..a3728902220 100644
--- a/includes/search/searchwidgets/DidYouMeanWidget.php
+++ b/includes/search/searchwidgets/DidYouMeanWidget.php
@@ -78,7 +78,8 @@ class DidYouMeanWidget {
 		$original = $term;
 
 		return $this->specialSearch->msg( 'search-rewritten' )
-			->rawParams( $rewritten, $original )
+			->rawParams( $rewritten )
+			->params( $original )
 			->escaped();
 	}
 
-- 
2.34.1

Jelto subscribed.Oct 14 2022, 9:55 AM

The above patch has been deployed to all wmf production wikis.
It is stored in /srv/patches/1.40.0-wmf.5/core/T320785.patch on deploy1002
The problem was introduced in 1.40.0-wmf.5 by https://gerrit.wikimedia.org/r/c/mediawiki/core/+/824123.

Zabe added subscribers: Seddon, Cparle.Oct 14 2022, 10:16 AM

Zabe added a project: MediaWiki-Search.Oct 14 2022, 10:54 AM

Restricted Application added a project: Discovery-Search. · View Herald TranscriptOct 14 2022, 10:54 AM

@sbassett is it ok to push the patch through gerrit and make this task public? It is a recent regression and only master is affected and prod has been patched.

In T320785#8316947, @Zabe wrote:

@sbassett is it ok to push the patch through gerrit and make this task public? It is a recent regression and only master is affected and prod has been patched.

Normally we'd hold something like this for the next security release (T318964), but since it should have only ever made it to 1.40, I think it's fine to get this merged so the patch can fall off next week (assuming it gets merged today or Monday).

Change 842818 had a related patch set uploaded (by Zabe; author: DCausse):

[mediawiki/core@master] SECURITY: Fix XSS in DYM

https://gerrit.wikimedia.org/r/842818

gerritbot added a project: Patch-For-Review.Oct 14 2022, 2:22 PM

sbassett lowered the priority of this task from Unbreak Now! to High.Oct 14 2022, 2:30 PM

sbassett changed Author Affiliation from N/A to Other (Please specify in description).

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to High.

Zabe closed this task as Resolved.Oct 14 2022, 2:39 PM

Zabe assigned this task to dcausse.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Oct 14 2022, 2:48 PM

Change 842818 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Fix XSS in DYM

https://gerrit.wikimedia.org/r/842818

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.6; 2022-10-17).Oct 14 2022, 3:00 PM

Maintenance_bot removed a project: Patch-For-Review.Oct 14 2022, 3:30 PM

Running the train today for 1.40.0-wmf.6 shows the patch already got applied.

[ALREADY APPLIED] /srv/patches/1.40.0-wmf.6/core/01-T320785.patch

It got merged in master last week and made its way in 1.40.0-wmf.6. I have removed the patch from the /srv/patches repository.

Change 852935 had a related patch set uploaded (by SBassett; author: SBassett):

[wikimedia/security/landing-page@master] Add Sheldon Menezes to security hall of fame for reporting XSS in Special:Search

https://gerrit.wikimedia.org/r/852935

gerritbot added a project: Patch-For-Review.Nov 4 2022, 9:26 PM

Change 852935 merged by jenkins-bot:

[wikimedia/security/landing-page@master] Add Sheldon Menezes to security hall of fame for reporting XSS in Special:Search

https://gerrit.wikimedia.org/r/852935

Maintenance_bot removed a project: Patch-For-Review.Nov 7 2022, 8:30 PM

Change 854107 had a related patch set uploaded (by SBassett; author: SBassett):

[wikimedia/security/landing-page@master] Add Sheldon Menezes to security hall of fame (build step)

https://gerrit.wikimedia.org/r/854107

gerritbot added a project: Patch-For-Review.Nov 7 2022, 8:46 PM

hashar unsubscribed.Nov 8 2022, 11:39 AM

Change 854107 merged by jenkins-bot: