Cross-Site Scripting (XSS) on Wiki pages

Thanks for your report.

I'm not able to reproduce the behavior, though. When I try to access a page which does not exist, it simply takes me to a page where I'm offered a URL to create it, for instance:

https://wiki.ubuntu.com/notexists?action=edit

So can you please let us know which steps exactly you take to encounter the problem.

It seems that the wiki is down.

Not any longer. (At least not for me.)

Let's explain better this vulnerability:

Reaching the page https://wiki.ubuntu.com/notexists%22%20onclick=%22alert('XSS'), the path following the hostname is reflected on the response body showing an error message warning the user that the page searched doesn't exists.

The wiki application create an HTML "h2" title with an HTML "a" link showing the searched path and with the path appended on the "href" attribute of the HTML tag. The user input is appended without sanitization, so an attacker can inject other HTML/JavaScript code to the page DOM.

The payload that I used on this XSS close the "href" attribute with the quote and then use the "onclick" event attribute of the HTML "a" element in order to call the JavaScript function "alert" when the user click on the title.

When you open the link with the XSS payload Google Chrome browser will block the page rendering because warned by the XSS Auditor Engine that reveals the XSS injection.
(Attached file XSS_01.png shows this).

Instead if you use Mozilla Firefox the page will be displayed, even with the XSS.
So the file XSS_02.png shows the page rendered and the HTML "a" element with the injected "onclick" attribute.

After clicking on the title link you will display the "alert" (file XSS_02.png).

If you instead use the "onmouseover" event attribute in the XSS payload you will only need to move the mouse over the title in order to trigger the XSS.

Thanks for elaborating. This is over my head, but I subscribed the Ubuntu Security Team.

How can I request a CVE for this vulnerability?

I'm not sure, but I think the security folks will handle that if they think it's motivated.

The Ubuntu wiki is a MoinMoin instance - the question then is this an issue with the Ubuntu wiki MoinMoin configuration, or is this an upstream bug in MoinMoin itself?

Good question, Alex. I have absolutely no idea. A third option may be that we are not using the latest MoinMoin version.

Subscribed Alan Pope, who might be able to provide guidance, and changed the information type to "Public Security".

Can help? https://curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html

@Lorenzo: Yes, indeed. Seems like the version on the Ubuntu server is just 1.9.8, so a MoinMoin upgrade should fix it.

Thanks!

I filed this issue:

https://github.com/canonical-websites/www.ubuntu.com/issues/4246

Hopefully that will bring the right people's attention to this bug.

Gunnar, this isn't a web team issue, but for IS.

I have filed the issue in their RT system with a pointer to this.

Hopefully, they can help.

Peter

@Lorenzo: Peter let me know that this should be fixed now. Can you please check again, and confirm?

https://github.com/canonical-websites/www.ubuntu.com/issues/4246#issuecomment-432431849

Thanks. Keeping this bug open for now, then, to track the issue.

This turned to be a bug in our theme's code and not in Moin. I've fixed the theme bug and confirmed that the test case supplied above no longer succeeds.

On 2018-10-25 04:28, Paul Collins wrote:
> This turned to be a bug in our theme's code and not in Moin. I've
> fixed the theme bug and confirmed that the test case supplied above
> no longer succeeds.

@Lorenzo: Do you have time to test this a last(?) time?

Yes, now the XSS seems to be fixed.

https://github.com/canonical-websites/www.ubuntu.com/issues/4246#issuecomment-436184341

This issue can be closed.
Thank you for the work done.

Thanks for reporting it! Closing.