Page MenuHomePhabricator

TimedMediaHandler doesn't prevent blocked users from restarting transcodes (CVE-2022-28211)
Closed, ResolvedPublic

Description

TMH intentionally won't let bots execute transcodes, but this seems to be a rather bad over-sight.

Reported by @Revent.

Event Timeline

I had emailed Brion about this, after a mention on IRC.

A client logged in through the API via a 'botpassword' cannot reset transcodes... it requires a client login.

However, and this is the problem, a blocked user CAN use the API to reset transcodes... this leaves open the potential for a problematic DOS attack, by resetting them en-masse for no reason.

dpatrick renamed this task from TMH doesn't prevent blocked users from restarting transcodes to TimedMediaHandler doesn't prevent blocked users from restarting transcodes.Mar 21 2017, 8:34 PM
dpatrick triaged this task as Medium priority.
dpatrick added a project: Vuln-DoS.
Reedy added subscribers: Dylsss, MarcoAurelio.

From T296764, resetting a transcode creates a public log of that action:

If a user is blocked and suppressed, the user can continue to abusively create public logs with that suppressed username, essentially leaking suppressed data.

Also since the transcode-reset right is part of the implicit autoconfirmed group, I don't think there would be any way for local sysops to prevent possible abuse (by removing the right).

Is the below patch ok?

@brion: Could you review the patch (or have an idea who could review the patch)? Thanks.

Is the below patch ok?

Code-Review-1

The permissions check needs to go after // Make sure we have a valid Title so we know $titleObj isn't null. Otherwise LGTM (though untested so far)

sbassett added a subscriber: sbassett.

New patch that places the permissions check after the title check per @Legoktm:


If this looks good, we can get this deployed to wikimedia production and tracked soon.

Deployed the following patch (basically the same as the one above, but with some extraneous whitespace removed):


No obvious errors, not that there would be, right away. Quickly testing with a newly-created account that isn't autoconfirmed, I don't see the Reset Transcodes links for various video media, so I assume this is working. If someone would like to test a bit more that would be great. Anyhow, now tracking at T276237 and T297839.

Mstyles renamed this task from TimedMediaHandler doesn't prevent blocked users from restarting transcodes to TimedMediaHandler doesn't prevent blocked users from restarting transcodes (CVE-2022-28211).Mar 31 2022, 5:42 PM
Mstyles closed this task as Resolved.
Mstyles claimed this task.
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 5:47 PM

Change 776014 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@master] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/776014

Change 775940 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_35] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775940

Change 775941 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_36] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775941

Change 775942 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_37] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775942

Change 776014 merged by jenkins-bot:

[mediawiki/extensions/TimedMediaHandler@master] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/776014

Yeah we just plum forgot to fix this. :) It's an irksome DoS vector though, so good to fix! Merged the patch to master; I'm leaving the branch patches until someone's ready to deploy.

Yeah we just plum forgot to fix this. :) It's an irksome DoS vector though, so good to fix! Merged the patch to master; I'm leaving the branch patches until someone's ready to deploy.

Hey @brion - where were you looking to deploy these? Are there external mediawiki installations we should look at? Per the comment above (T160800#7775935), this patch has been on Wikimedia production releases since March 14th, 2022. And should now fall off for 1.39.0-wmf.6 since it was merged to master. And we'll (re-)announce the issue to the community with the next supplemental security release (T297839), due out, hopefully, tomorrow.

Change 775942 merged by jenkins-bot:

[mediawiki/extensions/TimedMediaHandler@REL1_37] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775942

Change 775941 merged by jenkins-bot:

[mediawiki/extensions/TimedMediaHandler@REL1_36] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775941

Change 775940 merged by jenkins-bot:

[mediawiki/extensions/TimedMediaHandler@REL1_35] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775940