Last modified: 2014-03-07 19:30:06 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T63362, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 61362 - HTML formatter for debug output from API allows HTML injection


Summary:	HTML formatter for debug output from API allows HTML injection

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	API (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	---
Assigned To:	Brad Jorsch

URL:	https://en.wikipedia.org/w/api.php?ac...
Whiteboard:
Keywords:

Depends on:
Blocks:	62035
	Show dependency tree / graph

Reported:	2014-02-14 08:20 UTC by Michael M.
Modified:	2014-03-07 19:30 UTC (History)
CC List:	9 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Fix (2.06 KB, patch) 2014-02-14 21:51 UTC, Brad Jorsch	Details
Add an attachment (proposed patch, testcase, etc.)

Description Michael M. 2014-02-14 08:20:51 UTC

Steps to reproduce:

1. Go to

https://en.wikipedia.org/w/api.php?action=parse&text=api.php?http://onmouseover=alert%28document.cookie%29//&title=Foo&prop=wikitext&format=jsonfm

2. Hover over the first link.

-> A popup will be shown with your cookie.

The problem is in function formatHTML from ApiFormatBase.php:

The raw output contains
  api.php?http://onmouseover=alert(document.cookie)//

In a first pass this is transformed into a link to api.php, i.e. into
  <a href="api.php?http://onmouseover=alert(document.cookie)//">...</a>

In a second step the string starting with http:// are recognized as URLs and transformed into a link, too. But as it is inside an attribute this breaks the HTML structure:
  <a href="api.php?<a href="http://onmouseover=alert(document.cookie)//">...</a>">...</a>

This is invalid HTML, but according to HTML5 the first a-tag gets an onmouseover-attribute with the value 'alert(document.cookie)//"'.

Comment 1 Brad Jorsch 2014-02-14 21:51:01 UTC

Created attachment 14596 [details]
Fix

Ugh. This should fix it, by hiding the already-created links from the second pass of link finding.

Comment 2 Chris Steipp 2014-02-20 19:40:03 UTC

Patch looks good, and fixes the issue. I asked Aaron to take a look at it also. We should be able to deploy it soon.

Thanks for the report Michael.

Comment 3 Aaron Schulz 2014-02-20 21:28:32 UTC

Would be nice if the patch used: <([0-9a-f]{40})> instead of <([0-9a-f]+)>. I think this is OK though.

Comment 4 Chris Steipp 2014-02-21 01:22:34 UTC

I deployed the patch as it was today. Brad, it might be nice to make that update, just to make it a little more specific before we release this. Next release will probably be in a couple of weeks.

Comment 5 Bawolff (Brian Wolff) 2014-02-28 03:00:44 UTC

For reference, this was commit Idf985e4e69c2f11778a8a90503914678441cb3fb (gerrit bot presumably can't edit hidden security bugs)

Comment 6 Chris Steipp 2014-03-03 19:11:56 UTC

This was assigned CVE-2014-2244

Comment 7 Gerrit Notification Bot 2014-03-07 19:30:06 UTC

Change 115961 merged by jenkins-bot:
SECURITY: API: Don't find links in the middle of api.php links

https://gerrit.wikimedia.org/r/115961

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links