GHSL-2020-336: reflected Cross-Site scripting (XSS) in analytics-quarry-web - CVE-2020-36324

Coordinated Disclosure Timeline

• 2020-12-15: Reported to security@wikimedia.org
• 2020-12-15: ​Issue acknowledged
• 2020-12-15: Issue is fixed

Summary

A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web

Product

https://github.com/wikimedia/analytics-quarry-web

Tested Version

Latest commit at the time of reporting (December 14, 2020).

Details

The server responds with return Response(json.dumps(...)) without setting proper mime-type (application/json).

This becomes problematic for the preference handling defined here: https://github.com/wikimedia/analytics-quarry-web/blob/085a51b2dee8b58882276d9fe090174252edb85e/quarry/web/app.py#L395-L412

You can exploit this vulnerability by tricking a logged in user to visit vulnerable URL.

PoC:

1. Visit official Quarry site https://quarry.wmflabs.org/ or follow setup instructions on repo. (I found official site from here)
2. Log in with a wiki-media acocunt
3. Visit vulnerable URL: https://quarry.wmflabs.org/api/preferences/get/%3Cimg%20src=0%20onerror=alert(0)%3E

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.

CVE

• CVE-2020-36324

Credit

This issue was discovered and reported by Rasmus Wriedt Larsen of the CodeQL Python team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-336 in any communication regarding this issue.