Page MenuHomeMiraheze

Confirmed XSS in WikiDiscover
Closed, ResolvedPublic

Description

See https://meta.mirabeta.org/wiki/Special:WikiDiscover?uselang=x-xss

WARNING: THAT WILL LAUNCH JAVASCRIPT ALERT MESSAGES IN YOUR BROWSER IF YOU HAVE JS ENABLED!

Event Timeline

<td class="TablePager_col_wiki_dbname"><a href="https://semantic-mediawiki.mirabeta.org">Semantic MediaWiki</a></td>
<td class="TablePager_col_wiki_language">English</td>
<td class="TablePager_col_wiki_closed">Open</td>
<td class="TablePager_col_wiki_private">Public</td>
<td class="TablePager_col_wiki_category">Software/Computing</td>
<td class="TablePager_col_wiki_creation">28 <script>alert('january')</script>"><script>alert('january')</script><x y="() 2022</td>
<td class="TablePager_col_wiki_description"> </td>

Looking at where in the table pager this is generated, we get this (https://github.com/miraheze/WikiDiscover/blob/e22ac51883ad39fa2efa1c09836226e5244c6df7/includes/WikiDiscoverWikisPager.php#L141):

case 'wiki_creation':
	$lang = RequestContext::getMain()->getLanguage();

	$formatted = $lang->date( wfTimestamp( TS_MW, strtotime( $row->wiki_creation ) ) );
	break;

Let's look a bit more closely at that date method. This is from the Language class, and it takes a timestamp and returns a human-readable timestamp. To get a human-readable timestamp, it uses behind the scenes interface messages to have the names of the months and days and everything in all the various languages MediaWiki supports. It retrieves them using this function, Language::getMonthName. (https://doc.wikimedia.org/mediawiki-core/master/php/Language_8php_source.html#l02081)

public function getMonthName( $key ) {
  return $this->getMessageFromDB( self::MONTH_MESSAGES[$key - 1] );
}

Hmm, how does that work?

public function getMessageFromDB( $msg ) {
  return $this->msg( $msg )->text();
}

oops, that is using the ->text() output mode! So there is our XSS vector. Pretty cool huh?

Fix for this one is pretty simple. @Universal_Omega I will need you to give me permission to make security advisories on WikiDiscover as well.

Fix for this one is pretty simple. @Universal_Omega I will need you to give me permission to make security advisories on WikiDiscover as well.

Done

https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f is now published and the fix is live on the latest master. I believe this is task is now good for opening to the public

Universal_Omega changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 8 2024, 20:32