| Yair_rand |
| Mar 2 2020, 3:28 AM |
| F31655696: 0001-jquery.makeCollapsible-Escape-user-generated-CSS-sel.patch |
| Mar 2 2020, 4:12 PM |
Description
The code , when placed on a wiki page, causes the element to undergo several changes: It has the class and applied to it, along with several event handlers being attached which collapse or expand a particular element (many of these handlers suppressing normal behaviour). The "body" can be replaced with any CSS selector, including, for example "", which will then have the effects apply to all elements matching the selector.
The source of this is presumably https://phabricator.wikimedia.org/source/mediawiki/browse/master/resources/src/jquery/jquery.makeCollapsible.js$246
(I don't think this bug matters much on its own, but I'm a bit concerned about what bugs this could be combined with to open up some worrisome possibilities. Sorry if this isn't the kind of thing that should be labelled a security issue, I'm not sure what the boundaries are.)
Details
Related Objects
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T240392 Release MediaWiki 1.31.7/1.33.3/1.34.1 | |||
| Resolved | Reedy | T240393 Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1 | |||
| Resolved | Security | sbassett | T246602 makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960) |
Event Timeline
Thanks for reporting this. You can use security issues for anything even slightly concerning that you don't want to make public.
Note that you need to use (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.
I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.
Potential fix is to use :
In T246602#5933105, @matmarex wrote:Note that you need to use (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.
It wasn't immediately clear to me, but the order of the array values appears to matter. When is set to (its default), it defangs the bad id whereas setting it to or does not.
I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.
Potential fix is to use :
0001-jquery.makeCollapsible-Escape-user-generated-CSS-sel.patch1 KBDownload
I'd agree that this would likely be difficult to exploit in any serious way, though we did just have a different UI issue with security implications (T232932). Patch looks good and tests fine. I think I'm going to deploy it now during the remainder of the weekly security deployment window.
Deployed to wmf.21. Seems fine on testwiki.
Patch applies cleanly to master, REL1_34, REL1_33 and REL1_31. Closing as release is coming this week
Change 583697 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
Change 583700 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
Change 583703 merged by jenkins-bot:
[mediawiki/core@REL1_34] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors
Change 583708 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors