Page MenuHomePhabricator

API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP
Closed, ResolvedPublic

Description

https://en.wikipedia.org/w/api.php?action=parse&page=Project:Sandbox&prop=headhtml&format=json&callback=foo includes data like wgUserName and private user settings (mw.user.options.set) when you are logged in. Instead it should (like https://en.wikipedia.org/w/api.php?action=parse&text=~~~~&pst&format=json&callback=foo does) treat the user as anon, when in JSONP mode (i.e. when the callback parameter is present).

Patches

1.27:


1.26:
1.23:

Event Timeline

Schnark created this task.Jul 7 2016, 8:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2016, 8:51 AM
Anomie added a subscriber: Anomie.Jul 7 2016, 2:34 PM

This appears to be fixed by https://gerrit.wikimedia.org/r/#/c/297789/, which was already submitted to fix T139565.

dpatrick triaged this task as High priority.Jul 7 2016, 8:19 PM
dpatrick added a project: Vuln-Infoleak.

I merged Anomie's patch and will deploy it during/after today's evening SWAT window.

[17:27:28] <logmsgbot> !log dereckson@tin Synchronized php-1.28.0-wmf.9/includes/api/ApiParse.php: API: Generate head items in the context of the given title (T139565) (duration: 00m 30s)

I'll leave it to someone from Security-Team to mark this as resolved.

matmarex added a subscriber: matmarex.

This is worse than just a data leak (Vuln-Infoleak). The returned data (testing on my local wiki, before the patch) included the mw.user.tokens.set call with the CSRF token, so this essentially allowed for bypassing CSRF protection in almost all forms across the wiki.

Bawolff closed this task as Resolved.Jul 18 2016, 7:50 AM
Bawolff removed Bawolff as the assignee of this task.
Bawolff added a subscriber: Bawolff.

Marking as resolved since patch was deployed.

Bawolff updated the task description. (Show Details)Jul 18 2016, 8:31 AM
matmarex renamed this task from API action=parse&prop=headhtml leaks current user to third-party sites when used via JSONP to API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP.Jul 18 2016, 3:11 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:23 AM
demon changed Security from Software security bug to None.