CVE-2023-45359 - How an Escaping Bug in MediaWiki Vector Skin Led to a Cross-Site Scripting Vulnerability

If you’re running a MediaWiki site—especially one using the popular Vector skin—there’s an important security issue you need to know about: CVE-2023-45359. This vulnerability was discovered in the Vector Skin component of MediaWiki versions before 1.39.5 and 1.40.x before 1.40.1. In this long read, I’ll explain in simple terms exactly what went wrong, why it’s dangerous, and how it was exploited. I’ll also share references and some code you can use to test or protect yourself.

What Is The Vector Skin in MediaWiki?

The Vector skin is the default look-and-feel for MediaWiki, the software behind Wikipedia and thousands of other wikis worldwide. It controls page layout, navigation, and the sidebar—including the Table Of Contents (TOC).

The Problem: Unescaped Input in TOC Toggle Button

At the heart of CVE-2023-45359 is the way the Vector skin renders the "toggle" button for the Table of Contents. There's a translatable string called vector-toc-toggle-button-label that shows up as the label for the button. This label could be set using the line parameter, which wasn't *escaped*. In web security, "escaping" is the process of making sure input doesn't include special characters or HTML that the browser will interpret, which is crucial for preventing cross-site scripting (XSS).

In vulnerable versions, the Vector skin directly inserted unescaped user-controlled input into the HTML.

Here’s a simplified version of what the vulnerable code might have looked like

// Vulnerable pseudocode in Vector Skin
echo $this->msg( 'vector-toc-toggle-button-label' )
    ->params( $lineParam )  // $lineParam can have user input
    ->text();              // .text() does not escape input!

The problem is the use of ->text(), which just dumps the contents directly into the page with no escaping.

Why This Is So Bad: Classic XSS

If an attacker can control the line parameter, they can inject arbitrary HTML or JavaScript into the page. For example, they could craft a malicious link that, when clicked, causes a script to run in the user's browser. That’s called Cross-Site Scripting (XSS).

Suppose an attacker crafts the following URL to a page (fictitious, for demonstration)

https://example-wiki.org/wiki/Page?line=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

The %3Cscript%3Ealert('XSS')%3C%2Fscript%3E part is just HTML-encoded <script>alert('XSS')</script>.

On a vulnerable wiki, this will inject an alert popup. In practice, the attacker could do more malicious things—like stealing cookies or impersonating the user.

Example rendered output (dangerous)

<button aria-label="<script>alert('XSS')</script>">...</button>

When the browser interprets this, it runs the script.

How Did This Happen?

MediaWiki uses "message" templates for internationalization and customization. These messages often have parameters. The Vector skin developers used $this->msg()->params()->text() instead of $this->msg()->params()->escaped(). The latter escapes any HTML from user-controlled sources.

Real Fix: Escaping That Parameter!

The fix is simple: escape the parameter before inserting it into the label.

Fixed Code

// Safe code in Vector Skin
echo $this->msg( 'vector-toc-toggle-button-label' )
    ->params( htmlspecialchars( $lineParam, ENT_QUOTES ) )
    ->text();

Or, better

echo $this->msg( 'vector-toc-toggle-button-label' )
    ->params( $lineParam )
    ->escaped(); // Always escapes output

Version 1.40.x before 1.40.1

If you’re running an older version, you need to update immediately.

How Bad Is It?

XSS is a critical class of vulnerability. If a user can inject scripts into wiki pages—especially on a login page or important admin pages—they could steal credentials or perform actions as another user.

Patching & Mitigating

1. Update MediaWiki to at least 1.39.5 or 1.40.1. Release Notes
2. If you can't update, you can try removing user input from the toggle button label or hardcoding a safe label.

References

- CVE-2023-45359 at MITRE
- Wikimedia Security Phab
- Patch Discussion/Commit

Wrapping Up

CVE-2023-45359 is a great example of how a simple mistake—forgetting to escape a message parameter—can have big security consequences. If you run a MediaWiki site, double-check your version and patch as soon as possible. Escaping user input is critical, even in internationalization code that seems safe at first glance. Stay safe out there!


If you have any more questions about security in MediaWiki or want help auditing your code, let me know.

Timeline

Published on: 10/09/2024 06:15:13 UTC
Last modified on: 10/10/2024 12:51:56 UTC