CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

**

CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

Closed, ResolvedPublicSecurity

**

• Edit Task

• Edit Related Tasks…

• Edit Related Objects…

• Mute Notifications

• Protect as security issue

• Award Token

• Flag For Later

List of steps to reproduce (step by step, including full links if applicable):

• Be sure your wiki has files uploaded (non-pdfs)
• Go to [[MediaWiki:Widthheight]] and append “<script>alert(‘XSS widthheight’);</script>”
• Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts

This is from ImageHandler::getDimensionsString and also includes “widthheightpage” for pdfs.
It affects all gallery which shows dimensions, that is not true for parser/wikitext.
The default depends on $wgGalleryOptions.
Categories with files are affected
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.

A second case:

• Log in as sysop
• Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
• In the file history click "(change visibility)" and you will get the alert.

For the second case the escaped is also missing for message “nbytes” in RevDelFileItem::getHTML

What happens?:
javascript alerts are shown.

What should have happened instead?:
No javascript alert should be shown. The script tag must be presented as visible text.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc: current master

Risk Rating

Low

Author Affiliation

Wikimedia Communities

• Task Graph

Event Timeline

Comment Actions

Only priviliged user can edit messages, but the use of Special:RevisionDelete also affects oversights.

I am not sure if problems with message escaping should be public or better private like this. Feel free to change as needed.

Comment Actions

Thanks for filling the task. Definitely let’s keep this private (at least for now) – this is an active vulnerability (although it requires sysop rights to exploit).

Comment Actions

We’ve resolved many issues like this in public in the past (recent examples: 1 2 ).

I think it’s much more practical, and not very risky, to resolve them in public. Or if there’s a good reason not to do that, please let me know and I’ll keep similar issues private in the future too.

Comment Actions

This should just be a simple s/text/escaped/ here and here, correct?

I think it’s much more practical, and not very risky, to resolve them in public. Or if there’s a good reason not to do that, please let me know and I’ll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as low risk if a patch can go through gerrit on a Monday just prior to the train cut.

Comment Actions

This should just be a simple s/text/escaped/ here and here, correct?

I think it’s much more practical, and not very risky, to resolve them in public. Or if there’s a good reason not to do that, please let me know and I’ll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as low risk if a patch can go through gerrit on a Monday just prior to the train cut.

The return value of ImageHandler::getDimensionsString is escaped by the caller (at least in ImageHistoryList) and should be wrapped with htmlspecialchars in the Gallery here

The second part in RevDelFileItem is okay with /text/escaped/ replace.

Comment Actions

First attempt at a patch per @Umherirrender’s advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

Comment Actions

First attempt at a patch per @Umherirrender’s advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

That works and looks very good. +2

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from “Custom Policy” to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy added a parent task: Restricted Task.Sun, Mar 20, 2:51 PM

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mon, Mar 28, 1:53 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL