Page MenuHomePhabricator
Create Task
Maniphest T60088

[Regression] Sanitizer::checkCss blacklist can be bypassed using fullwidth backslash
Closed, ResolvedPublic
Actions

Description

The fix for fullwidth characters (https://gerrit.wikimedia.org/r/#/c/95557/, bug 55332) broke the CSS sanitizer, it now is possible to embed escape sequences into your CSS code and thus evade the blacklists for url() etc.

Example:

<p style="font-size: 100px; background-image: ur\l(https://www.google.com/images/srpr/logo6w.png)">A</p>

This currently loads the image from Google server and of course could be modified to allow XSS attacks via expression in old IEs.

Note the Fullwidth Reverse Solidus which is replaced with a normal Reverse Solidus *after* escape sequences are replaced with the actual character.

Version: unspecified
Severity: normal

Details

Reference
bz58088

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedNoneT60088 [Regression] Sanitizer::checkCss blacklist can be bypassed using fullwidth backslash

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 2:25 AM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz58088.
bzimport added a subscriber: Unknown Object (MLST).
Schnark created this task.Dec 6 2013, 8:20 AM
csteipp added a comment.Dec 6 2013, 5:05 PM

Confirmed in Firefox and Opera. We'll get a patch for this out right away. Thanks for the report!

csteipp added a comment.Dec 6 2013, 9:56 PM

Created attachment 14015
Don't normalize U+FF3C

This prevents the specific scenario, and I've confirmed in a few browsers that Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.

Attached:

bug58088.patch884 BDownload

Schnark added a comment.Dec 7 2013, 8:43 AM

(In reply to comment #2)

[...] I've confirmed in a few browsers
that
Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.

As no standard compliant browser should treat the Fullwidth Reverse Solidus as normal backslash the only interesting question is: Does Internet Explorer 6 interpret stuff like \123 as valid escape sequences?

csteipp added a comment.Dec 9 2013, 6:33 PM

I've tested in IE6 specifically, and it doesn't appear to use the fullwidth version as an escape sequence either. I'd like Tim to take a look at the patch, then we should be ok to deploy this.

tstarling added a comment.Dec 16 2013, 2:23 AM

Patch looks good.

csteipp added a comment.Dec 23 2013, 6:27 PM

This was assigned CVE-2013-6451

Mglaser added a comment.Jan 8 2014, 11:07 PM

Created attachment 14262
Don't normalize U+FF3C (1.19 branch)

Attached:

bug58088_119.patch863 BDownload

Mglaser added a comment.Jan 8 2014, 11:08 PM

Created attachment 14263
Don't normalize U+FF3C (1.21 branch)

Attached:

bug58088_121.patch893 BDownload

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
csteipp added a project: Vuln-XSS.Aug 20 2015, 10:07 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 5:57 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 28 2016, 5:57 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL