Page MenuHomePhabricator
Create Task
Maniphest T394692

CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors
Open, MediumPublic1 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
May 19 2025, 3:44 PM
Tags
Referenced Files
F60242796: T394692.patch
May 19 2025, 3:54 PM
F60242658: image.png
May 19 2025, 3:44 PM
F60242654: image.png
May 19 2025, 3:44 PM
F60242650: image.png
May 19 2025, 3:44 PM
Subscribers
Aklapper
Dreamy_Jazz
mszabo
sbassett

Description

Summary

The CheckUser extension has Special:Investigate which is currently vulnerable to i18n XSS (through checking with the x-xss language). These XSS vectors should be fixed.

Background

  • The x-xss language allows finding messages which are not properly escaped in MediaWiki interfaces
  • The CheckUser extension has Special:Investigate for investigating users to see if they have performed abuse
  • When using the x-xss language on Special:Investigate, there are several popup alerts that indicate the CheckUser is not properly escaping these messages
  • The messages which are vulnerable:
    • checkuser-investigate-compare-table-cell-unregistered
    • rev-deleted-user

Technical notes

To reproduce:

  1. Set $wgUseXssLanguage to be true
  2. Create a user which is then suppressed
  3. Perform a few edits using an IP address (not temporary account)
  4. Load Special:Investigate and enter the IP used to perform steps 2 and 3
  5. Enter a reason and submit the form
  6. Add uselang=x-xss to the end of the URL when on IPs and User agents tab

Screenshots

image.png (148×440 px, 8 KB)

image.png (146×454 px, 7 KB)

image.png (402×1 px, 84 KB)

Acceptance criteria

  • The CheckUser Special:Investigate IPs and User agents tab is no longer vulnerable to i18n XSS

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
SECURITY: Escape i18n messages in ComparePagermediawiki/extensions/CheckUserREL1_42+2 -2
SECURITY: Escape i18n messages in ComparePagermediawiki/extensions/CheckUserREL1_43+2 -2
SECURITY: Escape i18n messages in ComparePagermediawiki/extensions/CheckUserREL1_44+2 -2
SECURITY: Escape i18n messages in ComparePagermediawiki/extensions/CheckUserREL1_39+2 -2
SECURITY: Escape i18n messages in ComparePagermediawiki/extensions/CheckUsermaster+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.May 19 2025, 3:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2025, 3:44 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 19 2025, 3:45 PM
Dreamy_Jazz claimed this task.May 19 2025, 3:48 PM
Dreamy_Jazz added a comment.May 19 2025, 3:54 PM

T394692.patch1 KBDownload

Dreamy_Jazz set the point value for this task to 1.May 19 2025, 3:54 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.
Dreamy_Jazz added a project: Patch-For-Review.
Dreamy_Jazz added a project: Vuln-XSS.
Dreamy_Jazz updated the task description. (Show Details)May 19 2025, 3:57 PM
mszabo subscribed.May 19 2025, 4:04 PM

+2

mszabo added a comment.May 19 2025, 4:06 PM

PreliminaryCheckPager seems to suffer from the same issue. Should we fix it in this ticket?

Dreamy_Jazz added a comment.May 19 2025, 4:21 PM
In T394692#10835585, @mszabo wrote:

PreliminaryCheckPager seems to suffer from the same issue. Should we fix it in this ticket?

Yeah. I didn't see that when I was testing it, primarily because that doesn't display IPs and I can't seem to specifically include a hidden user in the current check (so it's much harder or possibly impossible to reproduce without modifying the HTML)

sbassett subscribed.May 19 2025, 4:22 PM
In T394692#10835585, @mszabo wrote:

PreliminaryCheckPager seems to suffer from the same issue. Should we fix it in this ticket?

Separate bug would be preferred.

Dreamy_Jazz added a comment.May 19 2025, 4:22 PM

I'll make a patch for that too.

Dreamy_Jazz added a comment.May 19 2025, 4:22 PM
In T394692#10835652, @sbassett wrote:
In T394692#10835585, @mszabo wrote:

PreliminaryCheckPager seems to suffer from the same issue. Should we fix it in this ticket?

Separate bug would be preferred.

I'll file a separate bug then.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 19 2025, 4:22 PM
sbassett added a project: SecTeam-Processed.
Dreamy_Jazz renamed this task from Special:Investigate has i18n XSS vectors to Special:Investigate 'IPs and User agents' tab has i18n XSS vectors.May 19 2025, 4:26 PM
Dreamy_Jazz updated the task description. (Show Details)
sbassett changed the task status from Open to In Progress.May 19 2025, 4:36 PM
sbassett triaged this task as Medium priority.
sbassett changed Risk Rating from N/A to Medium.
sbassett added a comment.May 19 2025, 9:22 PM

Deployed to Wikimedia production.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.May 19 2025, 9:23 PM
sbassett mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).May 19 2025, 9:30 PM
sbassett removed a project: Patch-For-Review.May 19 2025, 9:45 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 21 2025, 12:51 PM
Dreamy_Jazz added a comment.May 21 2025, 1:00 PM

This may be hard to QA on production, so probably best wait until the patches are backported.

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:52 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:12 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).Mon, Jul 7, 9:41 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.
Jdforrester-WMF added a project: MW-1.45-notes (1.45.0-wmf.9; 2025-07-08).Mon, Jul 7, 6:22 PM
mmartorana renamed this task from Special:Investigate 'IPs and User agents' tab has i18n XSS vectors to CVE-2025-53478: Special:Investigate 'IPs and User agents' tab has i18n XSS vectors.Tue, Jul 8, 5:34 PM
mmartorana closed this task as Resolved.Tue, Jul 8, 5:37 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".
Dreamy_Jazz reopened this task as Open.Tue, Jul 8, 6:12 PM

Needs to wait for QA

sbassett added a comment.Tue, Jul 8, 8:51 PM

Note: this has been merged to master and backported - https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e

Dreamy_Jazz moved this task from Inbox to Investigate on the CheckUser board.Wed, Jul 16, 12:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits