Page MenuHomePhabricator
Create Task
Maniphest T277009

CVE-2021-30158: Allow blocked users to access Special:ResetTokens
Closed, ResolvedPublicSecurity
Actions

Description

If users knowing his watchlist feed then being able to view his watchlist an unlimited number of times before block end his, And the user that is blocked must accept only, because he does not have method to be able to reset key.

Details

SubjectRepoBranchLines +/-
Allow blocked users to access Special:ResetTokensmediawiki/coreREL1_31+4 -0
Allow blocked users to access Special:ResetTokensmediawiki/coreREL1_35+4 -0
Allow blocked users to access Special:ResetTokensmediawiki/coremaster+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

IN created this task.Mar 10 2021, 7:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2021, 7:56 AM
IN renamed this task from If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block. to If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block.Mar 10 2021, 7:57 AM
IN added a project: MediaWiki-Watchlist.
Restricted Application added a project: Growth-Team. · View Herald TranscriptMar 10 2021, 7:57 AM
Aklapper changed the task status from Open to Stalled.Mar 10 2021, 8:11 AM

Hi @IN, thanks for taking the time to report this. Please always follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide:

  • a clear and complete list of exact steps to reproduce the situation, step by step, so that nobody needs to guess or interpret how you performed each step,
  • what happens after performing these steps to reproduce,
  • what you expected to happen instead and why you think that is a Security problem,
  • a full link to a web address where the issue can be seen.

In separate sections.

You can edit the task description by clicking Edit Task. Ideally, a good description should allow any other person to follow these steps (without having to interpret steps) and see the same results. Problems that others can reproduce can get fixed faster. Thanks again.

Aklapper renamed this task from If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block to If a user shares their watchlist token before being blocked, their token cannot be modified during the duration of the block.Mar 10 2021, 8:11 AM
IN added a comment.EditedMar 10 2021, 8:22 AM

The specific steps are as follows:
0. Share your own feed token on test wiki.

  1. Block yourself on testwiki.
  2. Visit https://w.wiki/35Bb .
  3. You can see:

Your username or IP address has been blocked.

The block was made by ‪yourself. The reason given is test for T277009

Start of block: just now
Expiration of block: […]
Intended blockee: ‪yourself
You can contact yourself‬ or another administrator to discuss the block. You can use the "Email this user" feature if a valid email address is specified in your preferences and you have not been blocked from using it. Your current IP address is […], and the block ID is #[…]. Please include all above details in any queries you make.

And you can't reset your key because it's overwritten by block notice, It cannot be modified under any circumstances.

Aklapper added a comment.Mar 10 2021, 8:25 AM

And you can't reset your key because it's overwritten by block notice.

Why would you want to reset your token if you are blocked anyway?
How is that a security issue, see https://www.mediawiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue ?
Please read my previous comment, which asked for "what you expected to happen instead and why you think that is a Security problem".

IN added a comment.Mar 10 2021, 8:30 AM
In T277009#6899506, @Aklapper wrote:

And you can't reset your key because it's overwritten by block notice.

Why would you want to reset your token if you are blocked anyway?
How is that a security issue, see https://www.medi%61wiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue ?
Please read my previous comment, which asked for "what you expected to happen instead and why you think that is a Security problem".

Because the token has already been shared. This is a security issue because the user's token is already publicly visible but he doesn't have the ability to reset the token, because he happens to be blocked. In other words, If the token of a blocked user is made public, the blocked user cannot change the token in any case.

Aklapper added a comment.Mar 10 2021, 10:09 AM
In T277009#6899512, @IN wrote:

Because the token has already been shared. This is a security issue because the user's token is already publicly visible

@IN: Where exactly is the token publicly visible to someone who is not the user themselves? Where can I see your token, basically? Please follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide complete steps to reproduce some situation. Thanks.

Aklapper added a comment.Mar 10 2021, 10:11 AM

@IN: You linked to https://test.wikipedia.org/w/index.php?title=Special:ResetTokens&returnto=Special%3APreferences&uselang=en (please avoid obfuscating links).
That page says "You can reset tokens which allow access to certain private data associated with your account here. You should do it if you accidentally shared them with someone or if your account has been compromised." I do not see a Security issue here, but a Privacy issue. If you see a Security issue, then please see https://www.mediawiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue and explain what the Security issue is. Thanks.

Legoktm subscribed.Mar 10 2021, 4:16 PM

We should definitely allow blocked users to use Special:ResetTokens. I'm not sure exactly if I'd consider it a Vuln-Infoleak since it relies on the watchlist token being distributed/compromised but it's something we should allow for. I think this was accidental rather than intentional, it just uses the default from FormSpecialPage.

In T277009#6899764, @Aklapper wrote:
In T277009#6899512, @IN wrote:

Because the token has already been shared. This is a security issue because the user's token is already publicly visible

@IN: Where exactly is the token publicly visible to someone who is not the user themselves? Where can I see your token, basically? Please follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide complete steps to reproduce some situation. Thanks.

Watchlist tokens allow access to your watchlist, so you can use them for RSS feeds, or even have a shared watchlist amongst multiple users. The token should be unguessable, but the more likely scenario here is that you share it with someone or accidentally leak it and need to reset it. Special:ResetTokens is the way to do that, except it currently disallows blocked users from using it.

matmarex subscribed.Mar 10 2021, 4:19 PM

Patch:

0001-Allow-blocked-users-to-access-Special-ResetTokens.patch930 BDownload

(I can submit to Gerrit instead if this isn't considered a security issue)

Legoktm added a comment.Mar 10 2021, 4:33 PM
In T277009#6901149, @matmarex wrote:

Patch:

0001-Allow-blocked-users-to-access-Special-ResetTokens.patch930 BDownload

Code-Review +2

DannyS712 subscribed.Mar 10 2021, 4:34 PM
In T277009#6901149, @matmarex wrote:

Patch:

0001-Allow-blocked-users-to-access-Special-ResetTokens.patch930 BDownload

(I can submit to Gerrit instead if this isn't considered a security issue)

Untested, but makes sense - assuming that Jenkins wouldn't object, +2 from me - not sure if this needs to be deployed as a security patch or can go through gerrit, I think gerrit would be fine (please add me as a reviewer if done on gerrit)

sbassett triaged this task as Medium priority.Mar 10 2021, 4:58 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
In T277009#6901240, @DannyS712 wrote:

Untested, but makes sense - assuming that Jenkins wouldn't object, +2 from me - not sure if this needs to be deployed as a security patch or can go through gerrit, I think gerrit would be fine (please add me as a reviewer if done on gerrit)

IMO, this is low-risk to push through gerrit, so feel free to do that.

matmarex added a project: Patch-For-Review.Mar 10 2021, 5:53 PM

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/670546

Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.35; 2021-03-16).Mar 10 2021, 7:24 PM
DannyS712 assigned this task to matmarex.Mar 10 2021, 7:48 PM
DannyS712 removed a project: Patch-For-Review.

Patch was merged

sbassett added a comment.Mar 10 2021, 8:12 PM

I feel like this doesn't need a pick/deploy to wmf.34 and can wait until next week, unless anyone has more serious concerns.

sbassett mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 10 2021, 8:15 PM
Jdforrester-WMF added projects: MW-1.31-release-notes, MW-1.35-notes.Mar 10 2021, 11:17 PM
IN renamed this task from If a user shares their watchlist token before being blocked, their token cannot be modified during the duration of the block to Allow blocked users to access Special:ResetTokens.EditedMar 11 2021, 7:47 AM
IN updated the task description. (Show Details)

I think this task should be a feature request, not a security issue. Can someone change it to FEATURE?

Because it's really a privacy issue, so please do not expose this task until a new version is released. After the new version is released, the task is over, so it can be make public.

IN edited projects, added Privacy; removed Security.Mar 11 2021, 7:55 AM
sbassett added projects: Security, SecTeam-Processed.Mar 11 2021, 4:50 PM
In T277009#6903536, @IN wrote:

I think this task should be a feature request, not a security issue. Can someone change it to FEATURE?

It's a lightweight user Vuln-DoS so we can keep the Security label.

Because it's really a privacy issue, so please do not expose this task until a new version is released. After the new version is released, the task is over, so it can be make public.

Yes, we can keep this task protected probably until Thursday of next week, after c954cc85ea is cut with wmf.35 and makes it to all wiki groups. The gerrit change set is already public, of course, but this is low-risk enough imo, and the change set discreet enough, that it shouldn't be problematic.

sbassett added a project: Vuln-DoS.Mar 17 2021, 3:09 PM
IN added a comment.Mar 19 2021, 12:37 PM

Is this mission over now?

Aklapper added a comment.Mar 19 2021, 12:40 PM

@IN: ? What "mission"?
Was that a question whether to resolve this ticket now that https://gerrit.wikimedia.org/r/c/mediawiki/core/+/670546 has been merged?

sbassett closed this task as Resolved.Mar 19 2021, 3:48 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
In T277009#6928372, @IN wrote:

Is this mission over now?

If you mean "can we resolve the task and make it public because the patch is now on wmf.35 and deployed to all wikis?", the answer to that question is yes. I'll go ahead and do that now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 19 2021, 3:48 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 30 2021, 12:42 AM
Reedy renamed this task from Allow blocked users to access Special:ResetTokens to CVE-2021-30158: Allow blocked users to access Special:ResetTokens.Apr 6 2021, 7:13 PM
Reedy added a subscriber: gerritbot.Apr 8 2021, 7:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL