Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127)
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Zabe
	Jun 20 2021, 4:59 PM

Description

Globally suppressed users should be treated like they don't exist, but Special:GlobalUserRights reveals the existence of them. See related T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users and T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users.

Steps to reproduce

Globally suppress an account, e.g. Some Account.
Goto Special:GlobalUserRights/Some Account, where Some Account is that globally suppressed account.

Expected result

Actual result

(screenshots were taken on beta cluster)

Details

Author Affiliation: Wikimedia Communities

Subject	Repo	Branch	Lines +/-
SECURITY: Act like users don't exist if hidden from viewer	mediawiki/extensions/CentralAuth	REL1_36	+12 -2
SECURITY: Act like users don't exist if hidden from viewer	mediawiki/extensions/CentralAuth	REL1_35	+12 -2
SECURITY: Act like users don't exist if hidden from viewer	mediawiki/extensions/CentralAuth	REL1_31	+12 -2
SECURITY: Act like users don't exist if hidden from viewer	mediawiki/extensions/CentralAuth	master	+12 -2

Customize query in gerrit

Related Objects

Mentioned In: T298784: Security Issue Access Request for Zabe
T260863: Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs
T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1)
Mentioned Here: T260863: Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs
T192957: "Account is hidden from public lists" is misleading
T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users
T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users

Event Timeline

Zabe created this task.Jun 20 2021, 4:59 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 20 2021, 4:59 PM

This patch should do the job:

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

(untested, as I do not have a local CentralAuth setup)

Zabe added projects: User-Zabe, Vuln-Infoleak, MediaWiki-extensions-CentralAuth.Jun 20 2021, 5:02 PM

Zabe added a project: Patch-For-Review.Jun 20 2021, 5:05 PM

DannyS712 subscribed.Jun 20 2021, 7:26 PM

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jun 21 2021, 3:53 PM

@Zabe this patch works for globally suppressed users, but there are some users who have both gu_status and lists as attributes, in the database still have the same error message. Not sure if the patch should cover those users as well. Another patch can be submitted if that's the case. More context for hidden lists -> https://phabricator.wikimedia.org/T192957

Security patch deployed June 21, 2021 -> https://sal.toolforge.org/log/Q1RpMHoBa_6PSCT9zC0q

sbassett removed a project: Patch-For-Review.Jun 21 2021, 9:16 PM

Mstyles mentioned this in T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Jun 21 2021, 9:18 PM

In T285190#7168051, @Mstyles wrote:

@Zabe this patch works for globally suppressed users, but there are some users who have both gu_status and lists as attributes, in the database still have the same error message. Not sure if the patch should cover those users as well. Another patch can be submitted if that's the case. More context for hidden lists -> https://phabricator.wikimedia.org/T192957

Users with $mHidden set to 'lists' will be hidden on Special:CentralAuth and Special:GlobalUsers. Therefore I assume that they should also be hidden on Special:GlobalUserRights. So let me create a second patchset, which includes users with $mHidden set to 'lists'. On the other hand, I have to say that I don't know what you mean by gu_status.

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

patchset 2

+1 to the patch above. We can try to get this updated patch out sometime this week during a train-friendly/backport window-friendly time.

sbassett triaged this task as Low priority.Jun 22 2021, 3:23 PM

sbassett merged a task: T260863: Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs.Jun 23 2021, 7:09 PM

sbassett mentioned this in T260863: Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs.

sbassett added a subscriber: ST47.

The patch was applied with .9 and .11 (https://sal.toolforge.org/log/VEzWOnoB1jz_IcWuA5fo), but this patch doesn't handle the user id scenario. This is mentioned in T260863 which was merged into this ticket.

In T285190#7173756, @Mstyles wrote:

This is mentioned in T260863 which was merged into this ticket.

Yeah, I can't see that one.

@Zabe - @DannyS712 just subbed you to that task.

Zabe merged a task: T260863: Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs.Jun 23 2021, 10:27 PM

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

patchset 3

This now includes a fix for the user id scenario described in T260863. Sorry for me don't adding that in the previous one.

In T285190#7173901, @Zabe wrote:

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

patchset 3

+1 to PS3. I feel like the logic could be condensed a bit more to be a bit more DRY, but this is fine for a security patch.

This now includes a fix for the user id scenario described in T260863. Sorry for me don't adding that in the previous one.

No problem, there are plenty of somewhat dated and forgotten bugs in Phab that deal with similar issues :) Given how long T260863 was open, I think it can likely wait for deployment for next Monday's (2021-06-28) security window, unless anyone has more immediate concerns about it.

I'm getting this on testwiki

[13f616c5-872f-4580-9947-57a0d6bfe4fc] /wiki/Special:GlobalUserRights?user=%2363654358 Error: Call to private CentralAuthGroupMembershipProxy::__construct() from context 'SpecialGlobalGroupMembership'

Backtrace:

from /srv/mediawiki/php-1.37.0-wmf.12/extensions/CentralAuth/includes/specials/SpecialGlobalGroupMembership.php(101)
#0 /srv/mediawiki/php-1.37.0-wmf.12/includes/specials/SpecialUserrights.php(141): SpecialGlobalGroupMembership->fetchUser(string, boolean)
#1 /srv/mediawiki/php-1.37.0-wmf.12/includes/specialpage/SpecialPage.php(646): UserrightsPage->execute(NULL)
#2 /srv/mediawiki/php-1.37.0-wmf.12/includes/specialpage/SpecialPageFactory.php(1362): SpecialPage->run(NULL)
#3 /srv/mediawiki/php-1.37.0-wmf.12/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#4 /srv/mediawiki/php-1.37.0-wmf.12/includes/MediaWiki.php(917): MediaWiki->performRequest()
#5 /srv/mediawiki/php-1.37.0-wmf.12/includes/MediaWiki.php(551): MediaWiki->main()
#6 /srv/mediawiki/php-1.37.0-wmf.12/index.php(53): MediaWiki->run()
#7 /srv/mediawiki/php-1.37.0-wmf.12/index.php(46): wfIndexMain()
#8 /srv/mediawiki/w/index.php(3): require(string)
#9 {main}

@Zabe - yep, fixing with reverts right now.

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

sorry, fixed the issue, if you haven't done that by your own already.

In T285190#7185241, @Zabe wrote:

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch1 KBDownload

sorry, fixed the issue, if you haven't done that by your own already.

Ok, thanks. We'll pull to an mwdebug to test first this time.

Ok, the buggy PS3 patch made it to wmf.11 and wmf.12 for a bit, but was reverted (1, 2). The new PS4 patch that fixed the bug was tested on mwdebug1002 and looked fine and was deployed to wmf.11 and wmf.12 (1, 2). We tested the enwiki link from T260863 and there were no errors, and nothing in logstash either. So I think we're good for now.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jun 29 2021, 9:58 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 1 2021, 10:43 PM

sbassett changed the edit policy from "Custom Policy" to "All Users".

Change 702771 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@master] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702771

Change 702722 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_36] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702722

Change 702723 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_35] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702723

Change 702724 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702724

Change 702771 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702771

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.14; 2021-07-12).Jul 2 2021, 4:00 PM

Change 702724 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702724

Change 702723 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_35] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702723

Change 702722 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] SECURITY: Act like users don't exist if hidden from viewer

https://gerrit.wikimedia.org/r/702722

sbassett renamed this task from Special:GlobalUserRights reveals existence of globally suppressed users to Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127).Jul 2 2021, 8:04 PM

sbassett closed this task as Resolved.Jul 2 2021, 8:16 PM

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

CptViraj subscribed.Jul 3 2021, 5:01 PM

Zabe removed a project: Patch-For-Review.Jul 15 2021, 3:46 PM

Zabe mentioned this in T298784: Security Issue Access Request for Zabe.Jan 10 2022, 11:00 PM

Zabe removed a project: User-Zabe.Apr 13 2022, 12:50 AM

	F34532053: 0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
	Jun 29 2021, 9:32 PM

	F34524186: 0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
	Jun 23 2021, 10:34 PM

	F34520123: 0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
	Jun 22 2021, 10:19 AM

	F34515858: 0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
	Jun 20 2021, 5:01 PM

Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127)Closed, ResolvedPublicSecurityActions

Description

Steps to reproduce

Expected result

Actual result

Details

Related Objects

Event Timeline

Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127)
Closed, ResolvedPublicSecurity
Actions