Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4c2h-67qq-vm87: Citizen skin vulnerable to stored XSS through multiple system messages

Various system messages are inserted by the Citizen skin in multiple places without proper sanitization.

1 - Command Palette Tips

Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

  1. Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the command palette image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

2 - Menu Headings

Summary

All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

PoC

  1. Go to any article using citizen with the uselang parameter set to x-xss
  2. A large number of alerts will be shown for various messages, e.g.: image image

On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

3 - User registration date

Summary

Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60

PoC

  1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you’re logged in with, various messages can be shown. In my case, it’s november: image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

4 - Preferences menu headings

Summary

Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The innerHtml of the label div is set to the textContent of the label, essentially unsanitizing the system messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18

PoC

  1. Edit citizen-feature-custom-font-size-name (or any other message displayed in a heading in the preferences menu) to <img src="" onerror="alert('citizen-feature-custom-font-size-name')"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the preferences menu image

5 - No results messages

Summary

The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9

PoC

  1. Edit citizen-search-noresults-title and citizen-search-noresults-desc to <img src="" onerror="alert('citizen-search-noresults-title')"> and <img src="" onerror="alert('citizen-search-noresults-desc')"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the search bar and search for a page that doesn’t exist to get the “no results” messages to show up

image image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

ghsa
Open in Source
#xss#js#git#php

Various system messages are inserted by the Citizen skin in multiple places without proper sanitization.

1 - Command Palette Tips****Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66
currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69
currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

  1. Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the command palette

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

2 - Menu Headings****Summary

All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages for menu headings are inserted unescaped into raw HTML:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

PoC

  1. Go to any article using citizen with the uselang parameter set to x-xss
  2. A large number of alerts will be shown for various messages, e.g.:

On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

3 - User registration date****Summary

Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60

PoC

  1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in
    Depending on the registration date of the account you’re logged in with, various messages can be shown. In my case, it’s november:

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

4 - Preferences menu headings****Summary

Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The innerHtml of the label div is set to the textContent of the label, essentially unsanitizing the system messages:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18

PoC

  1. Edit citizen-feature-custom-font-size-name (or any other message displayed in a heading in the preferences menu) to <img src="" onerror="alert(‘citizen-feature-custom-font-size-name’)"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the preferences menu

5 - No results messages****Summary

The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages are inserted as raw HTML by the mustache template:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9

PoC

  1. Edit citizen-search-noresults-title and citizen-search-noresults-desc to <img src="" onerror="alert(‘citizen-search-noresults-title’)“> and <img src="” onerror="alert(‘citizen-search-noresults-desc’)"> (script tags don’t work here due to the way the HTML is inserted)
  2. Open the search bar and search for a page that doesn’t exist to get the “no results” messages to show up

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

References

  • GHSA-4c2h-67qq-vm87
  • StarCitizenTools/mediawiki-skins-Citizen@54c8717
  • StarCitizenTools/mediawiki-skins-Citizen@93c36ac

ghsa: Latest News

GHSA-m3mq-f375-5vgh: Vantage6 Server JWT secret not cryptographically secure
ghsa