MediaWiki (Citizen Skin), Cross-Site Scripting (XSS), CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the Vulnerability Works

The Citizen skin for MediaWiki fails to properly sanitize multiple system messages before inserting them into the DOM as raw HTML. Attackers with `editinterface` permissions (but not editsitejs) can inject malicious scripts via crafted messages.
1. Command Palette Tips – Unsanitized messages in `CommandPaletteFooter.vue` allow HTML injection via v-html.
2. Menu Headings – `Menu.mustache` directly inserts unescaped messages, enabling XSS via modified headings.
3. User Registration Date – `userDate()` output is unsanitized, allowing date-based XSS.
4. Preferences Menu – `innerHTML` assignments bypass sanitization in preference labels.
5. No Results Messages – Search-related messages in `TypeaheadPlaceholder.mustache` are vulnerable.
Exploitation requires editing system messages (e.g., injecting <img onerror=alert(1)>). Script tags may fail due to insertion methods, but event handlers execute.

DailyCVE Form

Platform: MediaWiki
Version: Citizen Skin
Vulnerability: XSS
Severity: Critical
Date: 2023-XX-XX

Prediction: Patch by Q3 2024

What Undercode Say:

Exploitation:

1. PoC Payloads:

<img src="" onerror="alert(document.cookie)">

Modify messages like `citizen-command-palette-tip-commands` via `editinterface`.

2. Manual Testing:

fetch('/api.php?action=query&meta=allmessages&ammessages=citizen-search-noresults-').then(r => r.json())

3. Mass Injection:

for msg in tip-commands tip-users; do curl -X POST --data "message=$MALICIOUS_HTML" "$WIKI/api.php?action=edit"; done

Mitigation:

1. Temporary Fix:

// In LocalSettings.php
$wgRawHtml = false;

2. Patch Analysis:

Replace `v-html` with `{{ text }}` in Vue templates. Example:


<div v-html="currentTip" />

→

<div>{{ currentTip }}</div>

3. WAF Rules:

location ~ .php$ {
modsecurity_rules 'SecRule ARGS "@contains <script>" "id:1001,deny,msg:XSS Attempt"';
}

4. Log Monitoring:

tail -f /var/log/mediawiki/error.log | grep -E "editinterface|v-html"

5. User Permissions:

// Restrict editinterface
$wgGroupPermissions['sysop']['editinterface'] = false;

6. Static Analysis:

grep -r "v-html|innerHTML" /path/to/Citizen/skin/

7. CSP Header:

Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"

8. Automated Scanning:

nikto -h $WIKI_URL -plugins xss

9. Patch Verification:

// Test post-patch
document.querySelectorAll('[v-html]').length === 0

10. Backup Messages:

SELECT FROM `mw_message` WHERE msg_text LIKE '%<%';

Impact: Full DOM XSS via message edits. Patch urgently or restrict editinterface.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top