Summary
The page MediaWiki:Tagline has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface permission, or sysops).
Details
The lines below correctly use Message::parse() for citizen-tagline (which returns an HTML-representation of the wikitext), but it incorrectly uses Message::text() for tagline (which returns the wikitext itself, with unescaped HTML tags).
|
} elseif ( !$localizer->msg( 'citizen-tagline' )->isDisabled() ) { |
|
$tagline = $localizer->msg( 'citizen-tagline' )->parse(); |
|
} else { |
|
// Fallback to site tagline |
|
$tagline = $localizer->msg( 'tagline' )->text(); |
|
} |
This is also duplicated a few lines below:
|
} elseif ( !$localizer->msg( 'citizen-tagline' )->isDisabled() ) { |
|
$tagline = $localizer->msg( 'citizen-tagline' )->parse(); |
|
} else { |
|
$tagline = $localizer->msg( 'tagline' )->text(); |
|
} |
PoC
- Login with an account that has the
editinterface permission (usually one that is a sysop)
- Ensure that
MediaWiki:Citizen-tagline is either blank or deleted
- Edit
MediaWiki:Tagline to something like:
<script>alert(`Citizen XSS in MediaWiki:Tagline on ${window.origin}`)</script>
- Load a mainspace article
Example on Citizen:
Example on Vector:
Impact
Arbitrary HTML (and thus Javascript) can be injected by someone with editinterface permission (typically sysops). This can lead to actions being covertly taken that a user who uses the Citizen skin, and it could lead to an account takeover.
However, editing MediaWIki:Tagline is very noisy (appears in page history, visible to non-Citizen users, appears in Recent Changes unless if the editor has the bot flag). Additionally, a proper CSP will thwart this attack.
BlankEclair Reporter
Summary
The page
MediaWiki:Taglinehas its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with theeditinterfacepermission, or sysops).Details
The lines below correctly use
Message::parse()forcitizen-tagline(which returns an HTML-representation of the wikitext), but it incorrectly usesMessage::text()fortagline(which returns the wikitext itself, with unescaped HTML tags).mediawiki-skins-Citizen/includes/Components/CitizenComponentPageHeading.php
Lines 190 to 195 in c11fbf6
This is also duplicated a few lines below:
mediawiki-skins-Citizen/includes/Components/CitizenComponentPageHeading.php
Lines 197 to 201 in c11fbf6
PoC
editinterfacepermission (usually one that is a sysop)MediaWiki:Citizen-taglineis either blank or deletedMediaWiki:Taglineto something like:Example on Citizen:
Example on Vector:
Impact
Arbitrary HTML (and thus Javascript) can be injected by someone with
editinterfacepermission (typically sysops). This can lead to actions being covertly taken that a user who uses the Citizen skin, and it could lead to an account takeover.However, editing
MediaWIki:Taglineis very noisy (appears in page history, visible to non-Citizen users, appears in Recent Changes unless if the editor has the bot flag). Additionally, a proper CSP will thwart this attack.