⚓ T106893 Special:DeletedContributions leaks IPs if IP is blocked

Subject	Repo	Branch	Lines +/-
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions	mediawiki/core	master	+1 -1
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions	mediawiki/core	REL1_25	+1 -1
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions	mediawiki/core	REL1_24	+1 -1
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions	mediawiki/core	REL1_23	+1 -1

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Jul 24 2015, 9:13 PM

Maniphest changed the edit policy from "All Users" to "Custom Policy".

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2015, 9:13 PM

Bsadowski1 created this task.Jul 24 2015, 9:13 PM

Bsadowski1 triaged this task as Medium priority.

Bsadowski1 updated the task description. (Show Details)

Bsadowski1 added a project: acl*security.

Bsadowski1 changed Security from None to Software security bug.

Bsadowski1 edited subscribers, added: Bsadowski1; removed: Aklapper.

This was noted in T48457#531937, but I missed that.

0001-SECURITY-Don-t-disclose-if-an-IP-is-autoblocked-on-S.patch1 KBDownload

Legoktm added a project: Vuln-Infoleak.Jul 24 2015, 9:28 PM

In T106893#1481045, @Legoktm wrote:

0001-SECURITY-Don-t-disclose-if-an-IP-is-autoblocked-on-S.patch1 KBDownload

Looks good to me

this is now deployed on wmf16 and wmf17

• csteipp closed this task as Resolved.Aug 5 2015, 8:18 PM

• csteipp added a parent task: Restricted Task.

• csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:32 PM

• csteipp updated the task description. (Show Details)Aug 10 2015, 5:49 PM

• csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:59 PM

• csteipp changed the edit policy from "Custom Policy" to "All Users".

• csteipp changed Security from Software security bug to None.

Change 230667 had a related patch set uploaded (by Chad):
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230667

Change 230671 had a related patch set uploaded (by Chad):
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230671

Change 230675 had a related patch set uploaded (by Chad):
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230675

Change 230675 merged by jenkins-bot:
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230675

• demon mentioned this in rMW68d3211f2ce8: SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions.Aug 10 2015, 10:16 PM

Change 230671 merged by jenkins-bot:
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230671

• demon mentioned this in rMW82b350e54a60: SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions.Aug 10 2015, 10:22 PM

Change 230667 merged by jenkins-bot:
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230667

• demon mentioned this in rMW5a88c9cba9aa: SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions.Aug 10 2015, 10:24 PM

• Forrestbot added projects: MW-1.24-release, MW-1.23-release, MW-1.25-release.Aug 10 2015, 11:00 PM

Ricordisamoa subscribed.Aug 10 2015, 11:45 PM

Change 230776 had a related patch set uploaded (by Chad):
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230776

Change 230776 merged by jenkins-bot:
SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions

https://gerrit.wikimedia.org/r/230776

• demon mentioned this in rMW5faabfa1bbf6: SECURITY: Don't disclose if an IP is autoblocked on Special:DeletedContributions.Aug 11 2015, 2:29 PM

• Forrestbot added projects: WMF-deploy-2015-08-11_(1.26wmf18), MW-1.26-release.Aug 11 2015, 3:00 PM

CVE-2015-6727 was assigned for this.

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM

Special:DeletedContributions leaks IPs if IP is blocked
Closed, ResolvedPublic
Actions

Description

Details

Related Objects
Search...

Event Timeline

	F251037: 0001-SECURITY-Don-t-disclose-if-an-IP-is-autoblocked-on-S.patch
	Jul 24 2015, 9:25 PM

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved		Legoktm	T106893 Special:DeletedContributions leaks IPs if IP is blocked

Special:DeletedContributions leaks IPs if IP is blockedClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Special:DeletedContributions leaks IPs if IP is blocked
Closed, ResolvedPublic
Actions

Related Objects
Search...