Page MenuHomePhabricator
Create Task
Maniphest T139570

API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP
Closed, ResolvedPublic
Actions

Description

https://en.wikipedia.org/w/api.php?action=parse&page=Project:Sandbox&prop=headhtml&format=json&callback=foo includes data like wgUserName and private user settings (mw.user.options.set) when you are logged in. Instead it should (like https://en.wikipedia.org/w/api.php?action=parse&text=~~~~&pst&format=json&callback=foo does) treat the user as anon, when in JSONP mode (i.e. when the callback parameter is present).

Patches

1.27:

T139565-REL1_27.patch1 KBDownload

1.26:
T139565-REL1_26.patch2 KBDownload

1.23:
T139565-REL1_23.patch2 KBDownload

Related Objects
Search...

Event Timeline

Schnark created this task.Jul 7 2016, 8:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2016, 8:51 AM
Anomie subscribed.Jul 7 2016, 2:34 PM

This appears to be fixed by https://gerrit.wikimedia.org/r/#/c/297789/, which was already submitted to fix T139565.

dpatrick triaged this task as High priority.Jul 7 2016, 8:19 PM
dpatrick added a project: Vuln-Infoleak.
dpatrick mentioned this in T133070: MediaWiki 1.27.1 security release.
RobLa-WMF assigned this task to Bawolff.Jul 7 2016, 8:21 PM
dpatrick added a parent task: T133070: MediaWiki 1.27.1 security release.Jul 7 2016, 8:21 PM
Legoktm subscribed.Jul 7 2016, 11:13 PM

I merged Anomie's patch and will deploy it during/after today's evening SWAT window.

dpatrick subscribed.Jul 7 2016, 11:48 PM

Thanks @Legoktm!

Legoktm added a comment.Jul 8 2016, 12:30 AM

[17:27:28] <logmsgbot> !log dereckson@tin Synchronized php-1.28.0-wmf.9/includes/api/ApiParse.php: API: Generate head items in the context of the given title (T139565) (duration: 00m 30s)

I'll leave it to someone from Security-Team to mark this as resolved.

matmarex added a project: Vuln-CSRF.Jul 8 2016, 5:28 PM
matmarex subscribed.

This is worse than just a data leak (Vuln-Infoleak). The returned data (testing on my local wiki, before the patch) included the mw.user.tokens.set call with the CSRF token, so this essentially allowed for bypassing CSRF protection in almost all forms across the wiki.

Bawolff closed this task as Resolved.Jul 18 2016, 7:50 AM
Bawolff removed Bawolff as the assignee of this task.
Bawolff subscribed.

Marking as resolved since patch was deployed.

Bawolff updated the task description. (Show Details)Jul 18 2016, 8:31 AM
matmarex renamed this task from API action=parse&prop=headhtml leaks current user to third-party sites when used via JSONP to API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP.Jul 18 2016, 3:11 PM
dpatrick added a subscriber: Staypos.Aug 22 2016, 11:32 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:23 AM
demon changed Security from Software security bug to None.
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:40 PM
suffusion_of_yellow mentioned this in T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again).Jul 27 2021, 11:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits