Page MenuHomePhabricator
Create Task
Maniphest T122540

Confirmation form in "DeletePagesForGood" extension lacks CSRF token
Closed, ResolvedPublic
Actions

Description

The form to confirm a permanent deletion doesn't use a CSRF token, allowing a malicious page to permanently delete arbitrary pages for any wikis which the user is logged in to and has permission to use the DeletePagesForGood extension.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Details

SubjectRepoBranchLines +/-
Use FormAction instead of UnknownAction hook, Security fixmediawiki/extensions/DeletePagesForGoodmaster+100 -99
Customize query in gerrit

Event Timeline

R1CH created this task.Dec 28 2015, 8:42 PM
R1CH raised the priority of this task from to Needs Triage.
R1CH updated the task description. (Show Details)
R1CH added a project: MediaWiki-extensions-DeletePagesForGood.
R1CH subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 28 2015, 8:42 PM
Paladox subscribed.Jan 7 2016, 10:08 AM

Sound like security needs to be set in this task.

Paladox added a comment.Jan 7 2016, 10:09 AM

@R1CH would you know how to fix this please.

Thanks for spotting this.

Paladox added a comment.Jan 7 2016, 10:11 AM

@Aklapper do you know how I can get help on fixing this security issue since if I set the task to security then no one would see it.

Aklapper set Security to Software security bug.Jan 7 2016, 3:31 PM
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 7 2016, 3:31 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Aklapper renamed this task from Confirmation form lacks CSRF token to Confirmation form in "DeletePagesForGood" extension lacks CSRF token.Jan 7 2016, 3:32 PM

Set to "Software Security bug" but note that this task was filled publicly.

@Paladox: See https://www.mediawiki.org/wiki/Security_for_developers

Paladox added a comment.Jan 7 2016, 3:45 PM

@Aklapper I am not sure if https://gerrit.wikimedia.org/r/#/c/250007/ fixes the security problem.

Bawolff subscribed.Jan 7 2016, 4:41 PM
In T122540#1920336, @Paladox wrote:

@Aklapper I am not sure if https://gerrit.wikimedia.org/r/#/c/250007/ fixes the security problem.

I have not specificly looked at that patch, but in general htmlform will fix this problem for you automatically

Paladox added a comment.Jan 7 2016, 5:31 PM

@Bawolff thanks. I am extending the class FormAction in this extension in that patch I linked.

Should I merge that since it would be important the only reason why I haven't merged it yet is because @saper suggested to use better error calling in one of the if statements. But that can be done in a separate patch since this is a security problem which needs fixing.

Paladox added a comment.Jan 7 2016, 5:42 PM

I am getting this error

Warning: unlink() [function.unlink]: Unable to find the wrapper "mwstore" - did you forget to enable it when you configured PHP? in /home/paladox1/public_html/extensions/DeletePagesForGood/DeletePagesForGood.class.php on line 196

Warning: unlink(local-backend/local-public/c/c0/Screenshot_(1).png) [function.unlink]: No such file or directory in /home/paladox1/public_html/extensions/DeletePagesForGood/DeletePagesForGood.class.php on line 196

using the new patch. Its to do with line 183 of DeletePagesForGood.class.php.

Paladox added a comment.Jan 7 2016, 7:54 PM

Patch has https://gerrit.wikimedia.org/r/#/c/250007/ been merged. Do I close this task now as resolved. And open it for public viewing.

csteipp triaged this task as Medium priority.Jan 8 2016, 12:25 AM
csteipp subscribed.
csteipp added a comment.Jan 8 2016, 12:31 AM

Patch has https://gerrit.wikimedia.org/r/#/c/250007/ been merged. Do I close this task now as resolved. And open it for public viewing.

It looks like the security issue is fixed with that commit, so if you're happy with the fix, go ahead and close this and make it public.

Paladox added a comment.Jan 8 2016, 12:34 AM

Thanks.

Paladox closed this task as Resolved.Jan 8 2016, 12:34 AM
Paladox changed Security from Software security bug to None.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 8 2016, 12:41 AM
csteipp changed the edit policy from "Custom Policy" to "All Users".
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 8 2016, 12:41 AM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL