A few months ago, frustrated by the lack of defensive anti-XSS measures in MediaWiki, I decided to make my own. Hence was born Extension:XSSProtector.
This extension is a compromise - its the best I can do from an extension without changing anything in MediaWiki. However I think it does provide real safety against the most likely vulnerabilities in MediaWiki.
Yesterday, MediaWiki released a security update for core and bundled extensions, so lets see how XSSProtector fared:
[Note: Severity ratings for vulns are my own opinion as there is no official rating]
The Vulns
High
- ✅ (T401099, CVE-2025-61638) SECURITY: Sanitize data- attributes.
- Stored XSS in MediaWiki's parser.
- As an aside, this is an amazing find by gui-ying233. Its not often that people find stored XSS in MediaWiki's core parser.
Moderate
- ✅ (T397232, CVE-2025-61656) SECURITY: Sanitize attributes unwrapped from data-ve-attributes.
- Basically if you can trick a user to copy and past something evil into visual editor, you can take over their account. Moderate because it requires complex user interaction, but is ultimately fairly serious.
Low
- ❌ (T387478, CVE-2025-61634) SECURITY: REST: Set cache-control value of max-age=60 for redirects.
- ✅ (T394396, CVE-2025-61636) SECURITY: Escape rawElement $content.
- ✅ (T394856, CVE-2025-61637) SECURITY: Escape three system messages used by live preview.
- ❌ (T280413, CVE-2025-61639) SECURITY: Use ManualLogEntry::getDeleted in ::getRecentChange.
- Not an XSS type bug
- ❌ (T403757, CVE-2025-61643) SECURITY: Don't send suppressed recent changes to RCFeeds.
- ❌ (T398706, CVE-2025-61646) SECURITY: Prevent leaking hidden usernames in Watchlist/RecentChanges.
- ✅ (T402075, CVE-2025-61640) SECURITY: Parse messages instead of inserting them as HTML.
- ❌ (T298690, CVE-2025-61641) SECURITY: api: Disable maxsize in QueryAllPages in miser mode.
- ✅ (T402313, CVE-2025-61642) SECURITY: Escape submit button label for Codex-based HTMLForms.
- ✅ (T403761, CVE-2025-61645) SECURITY: Fix i18n XSS in CodexTablePager.
- ✅ [CheckUser] (T403408, CVE-2025-61651) SECURITY: fix XSS in tempuser-expired-link-tooltip message.
- ❌ [CheckUser] (T404805, CVE-2025-61658) SECURITY: Add config variable to exclude from GlobalContributions.
- ✅ [CheckUser] (T402077, CVE-2025-61648) SECURITY: Escape system messages before inserting them as HTML.
- ❌ [ConfirmEdit] (T355073, CVE-2025-61635) SECURITY: ApiFancyCaptchaReload: Reuse badcaptcha rate limit.
- ❌ [DiscussionTools] (T397580, CVE-2025-61652) SECURITY: In API check user read permissions before showing PageInfo.
- I consider this low as it requires an unsupported configuration. People who have private wikis using officially supported configs are not affected
- ❌ [DiscussionTools] (T364910, T396248, CVE-2025-11175) SECURITY: DiscussionTools should use
better regex.
- ❌ [OATHAuth] (T401862, T402094, CVE-2025-11173) SECURITY: Reauth for enabling 2FA can be bypassed by submitting a form.
- ❌[OATHAuth] (T396951) FreeOTP refuses to add MediaWiki's 2FA details, because "token is unsafe".
- ❌ [TextExtracts] (T397577, CVE-2025-61653) SECURITY: Add authorizeRead check for extracts endpoint.
- I'm considering this low because it requires configuring MediaWiki in an officially unsupported configuration. Normal private wikis are not affected as far as i can tell.
- ❌ [Thanks] (T397497, CVE-2025-61654) SECURITY: Exclude deleted entries when counting thanks.
- I think most users don't really consider this sensitive information.
- ✅ [VisualEditor] (T395858, CVE-2025-61655) SECURITY: Properly escape and parse system messages.
- ✅ [Vector] (T398636, CVE-2025-61657) SECURITY: Insert sticky header labels as text instead of HTML.
In conclusion
It stopped all the XSS vulns, including the two that actually matter for your average MediaWiki setup. Overall it got 11 out of 24 or 46%. However I think its important to emphasize that most of the low vulnerabilities either can only be triggered by an admin, can only happen in rare configurations, or are DoS vulnerabilities that only matter if you've already spent significant effort doing performance hardening. XSSProtector prevented all the vulnerabilities that your average MediaWiki install should be worried about.
No comments:
Post a Comment