Summary
The page MediaWiki:Tagline
has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface
permission, or sysops).
Details
The lines below correctly use Message::parse()
for citizen-tagline
(which returns an HTML-representation of the wikitext), but it incorrectly uses Message::text()
for tagline
(which returns the wikitext itself, with unescaped HTML tags).
|
} elseif ( !$localizer->msg( 'citizen-tagline' )->isDisabled() ) { |
|
$tagline = $localizer->msg( 'citizen-tagline' )->parse(); |
|
} else { |
|
// Fallback to site tagline |
|
$tagline = $localizer->msg( 'tagline' )->text(); |
|
} |
This is also duplicated a few lines below:
|
} elseif ( !$localizer->msg( 'citizen-tagline' )->isDisabled() ) { |
|
$tagline = $localizer->msg( 'citizen-tagline' )->parse(); |
|
} else { |
|
$tagline = $localizer->msg( 'tagline' )->text(); |
|
} |
PoC
- Login with an account that has the
editinterface
permission (usually one that is a sysop)
- Ensure that
MediaWiki:Citizen-tagline
is either blank or deleted
- Edit
MediaWiki:Tagline
to something like:
<script>alert(`Citizen XSS in MediaWiki:Tagline on ${window.origin}`)</script>
- Load a mainspace article
Example on Citizen:
![](https://private-user-images.githubusercontent.com/170076830/335791457-4cac0a1b-9495-405b-904e-adb28449615f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExMjk0NzEsIm5iZiI6MTcyMTEyOTE3MSwicGF0aCI6Ii8xNzAwNzY4MzAvMzM1NzkxNDU3LTRjYWMwYTFiLTk0OTUtNDA1Yi05MDRlLWFkYjI4NDQ5NjE1Zi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzE2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxNlQxMTI2MTFaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wNTgxNjNkMmQxMjg2MWM4YTExZDBiODMwNmY0NzJmNzYxMDcwNjYyMjI2OWUzY2UwYTNhZGQwMjhiOTQ0M2E5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.NLTU4lvqYO6J3p2csfPCPHySjV140jlgP5WNJ7uhM2g)
Example on Vector:
![](https://private-user-images.githubusercontent.com/170076830/335791462-8fd40b19-497a-4fb0-9935-f68dce5ccfae.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExMjk0NzEsIm5iZiI6MTcyMTEyOTE3MSwicGF0aCI6Ii8xNzAwNzY4MzAvMzM1NzkxNDYyLThmZDQwYjE5LTQ5N2EtNGZiMC05OTM1LWY2OGRjZTVjY2ZhZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzE2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxNlQxMTI2MTFaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jOTc2MDZiYjI0ZDAxZTVkNzI0MDdiMDU0M2NjMTBiMjc3OTk0YzY1ZDVkMDNlY2QwZjJjZjM5NmY3NDQwNWFkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.7ly_FOouNy7u5olzqrhtdAhAc6ele-wopCWh-jsPkk8)
Impact
Arbitrary HTML (and thus Javascript) can be injected by someone with editinterface
permission (typically sysops). This can lead to actions being covertly taken that a user who uses the Citizen skin, and it could lead to an account takeover.
However, editing MediaWIki:Tagline
is very noisy (appears in page history, visible to non-Citizen users, appears in Recent Changes unless if the editor has the bot flag). Additionally, a proper CSP will thwart this attack.
Summary
The page
MediaWiki:Tagline
has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with theeditinterface
permission, or sysops).Details
The lines below correctly use
Message::parse()
forcitizen-tagline
(which returns an HTML-representation of the wikitext), but it incorrectly usesMessage::text()
fortagline
(which returns the wikitext itself, with unescaped HTML tags).mediawiki-skins-Citizen/includes/Components/CitizenComponentPageHeading.php
Lines 190 to 195 in c11fbf6
This is also duplicated a few lines below:
mediawiki-skins-Citizen/includes/Components/CitizenComponentPageHeading.php
Lines 197 to 201 in c11fbf6
PoC
editinterface
permission (usually one that is a sysop)MediaWiki:Citizen-tagline
is either blank or deletedMediaWiki:Tagline
to something like:Example on Citizen:
![](https://private-user-images.githubusercontent.com/170076830/335791457-4cac0a1b-9495-405b-904e-adb28449615f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExMjk0NzEsIm5iZiI6MTcyMTEyOTE3MSwicGF0aCI6Ii8xNzAwNzY4MzAvMzM1NzkxNDU3LTRjYWMwYTFiLTk0OTUtNDA1Yi05MDRlLWFkYjI4NDQ5NjE1Zi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzE2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxNlQxMTI2MTFaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wNTgxNjNkMmQxMjg2MWM4YTExZDBiODMwNmY0NzJmNzYxMDcwNjYyMjI2OWUzY2UwYTNhZGQwMjhiOTQ0M2E5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.NLTU4lvqYO6J3p2csfPCPHySjV140jlgP5WNJ7uhM2g)
Example on Vector:
![](https://private-user-images.githubusercontent.com/170076830/335791462-8fd40b19-497a-4fb0-9935-f68dce5ccfae.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExMjk0NzEsIm5iZiI6MTcyMTEyOTE3MSwicGF0aCI6Ii8xNzAwNzY4MzAvMzM1NzkxNDYyLThmZDQwYjE5LTQ5N2EtNGZiMC05OTM1LWY2OGRjZTVjY2ZhZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzE2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxNlQxMTI2MTFaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jOTc2MDZiYjI0ZDAxZTVkNzI0MDdiMDU0M2NjMTBiMjc3OTk0YzY1ZDVkMDNlY2QwZjJjZjM5NmY3NDQwNWFkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.7ly_FOouNy7u5olzqrhtdAhAc6ele-wopCWh-jsPkk8)
Impact
Arbitrary HTML (and thus Javascript) can be injected by someone with
editinterface
permission (typically sysops). This can lead to actions being covertly taken that a user who uses the Citizen skin, and it could lead to an account takeover.However, editing
MediaWIki:Tagline
is very noisy (appears in page history, visible to non-Citizen users, appears in Recent Changes unless if the editor has the bot flag). Additionally, a proper CSP will thwart this attack.