Page MenuHomePhabricator
Create Task
Maniphest T134931

Security review of GlobalGroupPermissions
Closed, ResolvedPublic
Actions

Description

As a result of T134863, we should look closer at Special:GlobalGroupPermissions.

Details

SubjectRepoBranchLines +/-
Low severity security-ish issues in CentralAuth special pagesmediawiki/extensions/CentralAuthmaster+70 -63
SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookiesmediawiki/extensions/CentralAuthREL1_29+1 -1
SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookiesmediawiki/extensions/CentralAuthREL1_27+1 -1
SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookiesmediawiki/extensions/CentralAuthREL1_28+1 -1
SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookiesmediawiki/extensions/CentralAuthmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

dpatrick created this task.May 10 2016, 9:15 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 10 2016, 9:15 PM
dpatrick triaged this task as Medium priority.May 10 2016, 9:17 PM
dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Jul 6 2016, 5:14 PM
MarcoAurelio subscribed.Jul 8 2016, 10:51 PM

As one with access to such special page, I'd like to know what T134863 was about. Can I be added to that ticket?

dpatrick added a comment.Jul 12 2016, 4:31 AM
In T134931#2443250, @MarcoAurelio wrote:

As one with access to such special page, I'd like to know what T134863 was about. Can I be added to that ticket?

Sure thing. I've added you.

Bawolff set Security to Software security bug.Sep 13 2016, 9:50 AM
Bawolff added a project: acl*security.
Bawolff changed the visibility from "Public (No Login Required)" to "Custom Policy".
Bawolff subscribed.

Making it secret so I can talk about results so far.

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptSep 13 2016, 9:50 AM
Bawolff added a comment.Sep 13 2016, 9:55 AM

/me thinks it might be prudent to look at all the Special pages in Central Auth, not just that one.

Thus far, (only done Special:GlobalGroupPermissions and Special:CentralAuth as of yet), things I'm concerned about:

  • Special:GlobalGroupPermissions:
    • buildGroupView() lines 235, 243, 244 - Group name is not escaped [low severity as its unlikely for the attacker to have control of the group name]
    • line 376 - misleading code comment
  • Special:CentralAuth
    • Username in showInfo() on line 306 [Low severity, as usernames normally can't have < or > in them, but should not rely on that.]
dpatrick moved this task from Scheduled to In Progress on the deprecated-security-team-reviews board.Sep 15 2016, 5:39 PM
Bawolff added a comment.EditedSep 27 2016, 2:48 PM

Ok I've looked at all the special pages, except Special:MergeAccount. Mostly I discovered a bunch of low severity sketchy stuff that's not exploitable (Not escaping i18n messages, double escaping some things, etc).

My not really tested yet patch is:

T134931-WIP.patch17 KBDownload

This patch does not include the following issues:

  • Special:MergeAccount (Because I haven't fully looked at the html output code of it yet, but it definitely should be carefully checked as its gnarly)
    • Also Special:MergeAccount::initSession() uses mt_rand() to generate numbers that should be cryptographically random. This is bad.
  • interwiki redirection in Special:CentralAuthAutoLogin similar to T109140
Bawolff added a comment.Nov 1 2016, 12:03 PM

https://gerrit.wikimedia.org/r/319055

This includes all issues except for the interwiki redirection thing.

See also T149679

Grunny mentioned this in T134863: Reflected XSS in GlobalGroupPermissions.Jan 18 2017, 3:37 PM
Bawolff added a project: Patch-For-Review.Jun 27 2017, 2:04 PM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.

T134931-redirect.patch1 KBDownload

Patch for final bit.

It is a limited open redirect which is probably enough of a real security issue that it should go through secret security patch process and not just be dumped on gerrit.

Bawolff moved this task from In Progress to Waiting on the deprecated-security-team-reviews board.Jun 28 2017, 2:17 PM
Reedy subscribed.Jul 4 2017, 8:24 PM
In T134931#3382305, @Bawolff wrote:

T134931-redirect.patch1 KBDownload

Patch for final bit.

It is a limited open redirect which is probably enough of a real security issue that it should go through secret security patch process and not just be dumped on gerrit.

CR+1

Should be fine to deploy that whenever

Bawolff added a comment.Jul 10 2017, 10:36 PM

Deployed to Wikimedia:

[22:28]	logmsgbot	!log bawolff@tin Synchronized php-1.30.0-wmf.7/extensions/CentralAuth/includes/specials/SpecialCentralAutoLogin.php: T134931 (duration: 00m 44s)
Bawolff moved this task from Patch pending review to Patch pending deployment on the acl*security board.Jul 10 2017, 10:36 PM
demon subscribed.Jul 18 2017, 4:25 PM

Is anything left for this?

Bawolff added a comment.Jul 18 2017, 5:01 PM
In T134931#3448599, @demon wrote:

Is anything left for this?

Last remaining thing was me asking around if we are getting cve numbers for the open redirect issue.

demon added a comment.EditedJul 18 2017, 5:05 PM

For CentralAuth? Eh, if you think it's necessary. I say just toss the fix over the wall and e-mail wikitech-l like usual. It's a pretty WMF-centric extension.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 19 2017, 4:16 AM
gerritbot subscribed.Jul 19 2017, 4:16 AM

Change 366187 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@master] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366187

gerritbot added a comment.Jul 19 2017, 4:20 AM

Change 366187 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366187

gerritbot added a comment.Jul 19 2017, 4:20 AM

Change 366188 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@REL1_29] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366188

gerritbot added a comment.Jul 19 2017, 4:22 AM

Change 366189 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@REL1_28] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366189

gerritbot added a comment.Jul 19 2017, 4:24 AM

Change 366191 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@REL1_27] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366191

gerritbot added a comment.Jul 19 2017, 4:26 AM

Change 366189 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_28] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366189

gerritbot added a comment.Jul 19 2017, 4:27 AM

Change 366191 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_27] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366191

gerritbot added a comment.Jul 19 2017, 4:27 AM

Change 366188 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_29] SECURITY: Use getFullUrlForRedirect() in Special:CentralAuthAutoLogin/setCookies

https://gerrit.wikimedia.org/r/366188

MZMcBride subscribed.Jul 19 2017, 4:42 AM
ReleaseTaggerBot added a project: MW-1.30-release-notes (WMF-deploy-2017-07-25_(1.30.0-wmf.11)).Jul 19 2017, 5:00 AM
Bawolff closed this task as Resolved.Jul 19 2017, 5:18 AM
Bawolff claimed this task.

Everything done and publically announced.

sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:22 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:38 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:16 PM
chasemp added a project: Application Security Reviews.Jan 8 2020, 4:40 PM
chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL