Page MenuHomePhabricator
Create Task
Maniphest T150115

MediaWiki does not warn or error when wgServer does not match httpd.conf ServerName
Open, Needs TriagePublic
Actions

Description

Here's a piece of goodness that has plagued us for the longest time...

Our httpd.conf looked similar to so:

# cat /etc/httpd/conf/httpd.conf | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d'
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin webmaster@cryptopp.com
ServerName www.cryptopp.com:80
...
<VirtualHost *:80>
    ServerName www.cryptopp.com
    ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com
</VirtualHost>
<VirtualHost *:443>
    ServerName www.cryptopp.com
    ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com
</VirtualHost>

Our LocalSettings.php used protocol agnostic URLs like so:

# cat /var/www/html/w/LocalSettings.php | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d'
<?php
if( defined( 'MW_INSTALL_PATH' ) ) {
	$IP = MW_INSTALL_PATH;
} else {
	$IP = dirname( __FILE__ );
}
...
# Notice cryptopp.com vs www.cryptopp.com
$wgServer           = "//cryptopp.com";
$wgSitename         = "Crypto++ Wiki";
$wgSecureLogin = true;
$wgCookieHttpOnly = true;
$wgCookieSecure = "detect";
...

Whenever we tried to Logon through the wiki, it would take two tries for unexplained reasons. We searched through all the log files, and never encounter one squawk. I sem to recall it started when I added this to LocalSettings.php, but it may have been a sumptom to the deeper problem:

$wgSecureLogin = true;
$wgCookieHttpOnly = true;
$wgCookieSecure = "detect";

Today we enabled a mod_rewrite rule to rewrite _all_ HTTP to HTTPS. This is due to Chrome's upcoming change of displaying any site in HTTP as insecure. Also see https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/. Here's what the change looked like:

<VirtualHost *:80>
    ServerName www.cryptopp.com
    ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com
    # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
    <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteCond %{HTTPS} !=on
       RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R]
    </IfModule>
</VirtualHost>
<VirtualHost *:443>
    ServerName www.cryptopp.com
    ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com
</VirtualHost>

The mod_rewrite completely broke wiki logons. We would visit the logon page, it would show HTTPS in the URL bar, but MediaWiki would display a message "Use Secure Logon" (IIRC), and the logon process would loop me back to the logon page without an actual login. Again, we would check the logs and there was nothing mentioned.

When we changed $wgServer to www.cryptopp.com, then everything worked as expected.

In the bigger picture, the problems above are (1) we were set to "warn" level, but no warnings or errors were logged. (2) None of us are Wiki admins or even admins in our day job. I realize there's nothing you can do for our inexperience. (3) We wasted countless hours on it over the last 18 months trying to figure out the double logon problem. Today we had to find the fix due to the mod_rewirte, and we spent 11 hours on it today alone. That likely means 10's to 100's of thousands of hours will be wasted around the world. (4) Many folks will avoid the secure state or better security posture because the problem is difficult to diagnose and fix. (5) Its hard to find a canonical answer as a reference. Typically, the usual Stack Overflow fodder shows up. I relaize there's nothing you can do for bad answers sprayed around the web.

Please start logging problems like ServerName != wgServer at "warn" level and above. It will save developers around the world untold pain and suffering, and it will improve the security posture for a number of sites. The improvement will come when the cause and fix become easy to diagnose.

Event Timeline

Noloader created this task.Nov 6 2016, 3:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 6 2016, 3:56 AM
Noloader updated the task description. (Show Details)Nov 6 2016, 3:59 AM
Noloader updated the task description. (Show Details)
Krenair subscribed.Nov 6 2016, 4:06 AM

We have ServerName wikipedia and ServerAlias *.wikipedia.org with wgServer taking the format //$lang.wikipedia.org, and I don't think I've seen this problem occur.

Krenair added a project: MediaWiki-General.Nov 6 2016, 4:07 AM
Noloader updated the task description. (Show Details)Nov 6 2016, 4:11 AM
Noloader updated the task description. (Show Details)Nov 6 2016, 4:25 AM
Noloader added a comment.EditedNov 6 2016, 4:43 AM
In T150115#2774360, @Krenair wrote:

We have ServerName wikipedia and ServerAlias *.wikipedia.org with wgServer taking the format //$lang.wikipedia.org, and I don't think I've seen this problem occur.

Thanks Krenair .

If interested, here is more information on our configuration. We are renting a CentOS 7 VM with Platform as a Service (PaaS). Its single occupancy, so we are the only site hosted on it.

# uname -a
Linux ftpit 2.6.32-042stab120.6 #1 SMP Thu Oct 27 16:59:03 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 18 2016 15:30:14

# php -v
PHP 5.4.16 (cli) (built: Aug 11 2016 21:24:59) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
    with XCache v3.1.1, Copyright (c) 2005-2014, by mOo
    with XCache Optimizer v3.1.1, Copyright (c) 2005-2014, by mOo
    with XCache Cacher v3.1.1, Copyright (c) 2005-2014, by mOo
    with XCache Coverager v3.1.1, Copyright (c) 2005-2014, by mOo

# cat /var/log/httpd/error_log | grep ModSecurity
...
[Sun Nov 06 00:26:37.876650 2016] [:notice] [pid 26563] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Sun Nov 06 00:26:37.876659 2016] [:notice] [pid 26563] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[Sun Nov 06 00:26:37.876663 2016] [:notice] [pid 26563] ModSecurity: PCRE compiled version="8.32 "; loaded version="8.32 2012-11-30"
[Sun Nov 06 00:26:37.876666 2016] [:notice] [pid 26563] ModSecurity: LUA compiled version="Lua 5.1"
[Sun Nov 06 00:26:37.876668 2016] [:notice] [pid 26563] ModSecurity: LIBXML compiled version="2.9.1"

We attempt to follow nearly every "PHP Hardening" and "MediaWiki Hardening" we can find. I think we are somewhat unusual (but not unique) in our firmer security posture.

I can send over any information you'd like, like our ModSecurity configuration.

Noloader added a comment.EditedNov 7 2016, 2:16 AM

After thinking about this, this is a Same Origin violation in the browser. In our case these origins were different from SOP's point of view:

  • cryptopp.com
  • www.cryptopp.com

In MediaWIki's case, these origins are the same from SOP's point of view (for example, with * = en or ko, etc):

  • *.wikipedia.org
  • $lang.wikipedia.org

This is one of those ugly interactions. I don't thin its a MW bug *per se*, but its a strong candidate for an enhancement. I hope MediaWiki takes the opportunity and logs a warning somewhere to help others.

The reason we exhausted so much time on it was because we were looking in the wrong places. We methodically went through each hardening step taken for PHP and ModSecurity. We finally hit upon the cause when we started testing LocalSettings.php. If we worked the LocalSettings.php angle first, then we likely would have found it in a couple of hours with trial-and-error.

A quick search of the web is *not* revealing copy/paste PHP code to test for SOP violations for two different sites or URLs.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits