Page MenuHomePhabricator
Create Task
Maniphest T165846

BotPasswords doesn't throttle login attempts
Closed, ResolvedPublic
Actions

Assigned To
Anomie
Authored By
Anomie
May 20 2017, 9:11 AM
Tags
Referenced Files
F10722305: 0002-T165846-REL1_29.patch
Nov 11 2017, 1:19 AM
F10722306: 0002-T165846-REL1_28.patch
Nov 11 2017, 1:19 AM
F10720207: 0002-T165846-REL1_28.patch
Nov 10 2017, 10:20 PM
F10578673: 0002-T165846-REL1_29.patch
Nov 2 2017, 11:59 PM
F10578670: 0002-T165846-master.patch
Nov 2 2017, 11:59 PM
F10578671: 0002-T165846-REL1_27.patch
Nov 2 2017, 11:59 PM
F10578672: 0002-T165846-REL1_30.patch
Nov 2 2017, 11:59 PM
F8130912: 0001-SECURITY-Add-throttling-for-BotPasswords-authenticat.patch
May 20 2017, 9:15 AM
Subscribers
Aklapper
Bawolff
gerritbot
Reedy

Description

In looking at T165803: Login API shouldn't lock you out in case you make too many correct logins I realized that BotPasswords doesn't do any login throttling.

The only caller is ApiLogin, and all code paths there currently will also call AuthManager, which by default will do throttling. But that throttling only occurs after the BotPassword login is attempted, so an attacker could ignore the throttling messages to keep attempting to attack a BotPassword.

Details

SubjectRepoBranchLines +/-
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/corewmf/1.31.0-wmf.8+19 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/coremaster+19 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/corefundraising/REL1_27+21 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/coreREL1_27+20 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/coreREL1_30+20 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/coreREL1_29+20 -2
SECURITY: Add throttling for BotPasswords authentication attemptsmediawiki/coreREL1_28+20 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Anomie created this task.May 20 2017, 9:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2017, 9:11 AM
Anomie claimed this task.May 20 2017, 9:12 AM
Anomie added a project: MediaWiki-Core-AuthManager.
Anomie added a project: Patch-For-Review.May 20 2017, 9:15 AM

0001-SECURITY-Add-throttling-for-BotPasswords-authenticat.patch3 KBDownload

dpatrick triaged this task as Medium priority.May 30 2017, 9:12 PM
Bawolff subscribed.Jun 5 2017, 9:15 PM
In T165846#3278351, @Anomie wrote:

0001-SECURITY-Add-throttling-for-BotPasswords-authenticat.patch3 KBDownload

Reviewed. Looks good.

The fact that the normal throttle is still totally independent of the botpassword throttle (That is, you can be unthrottled for a botpassword login but throttled for a normal login) is a little bit weird, but I think its fine.

Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jun 5 2017, 9:36 PM

I deployed this patch at 21:30 June 5.

Anomie added a comment.Jun 6 2017, 1:29 AM
In T165846#3316534, @Bawolff wrote:

The fact that the normal throttle is still totally independent of the botpassword throttle (That is, you can be unthrottled for a botpassword login but throttled for a normal login) is a little bit weird, but I think its fine.

Well, the other way around would have either meant each login attempt would increment the throttle twice or we'd have to introduce some deeply weird communication in there to tell AuthManager not to increment the throttle after all.

Bawolff added a parent task: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Jun 28 2017, 1:22 PM
Reedy mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 2 2017, 7:41 PM
Reedy mentioned this in T179609: Obtain CVE's for 1.27.4/1.29.2 security releases.Nov 2 2017, 10:49 PM
Reedy subscribed.Nov 2 2017, 11:59 PM

0002-T165846-REL1_29.patch3 KBDownload

0002-T165846-REL1_30.patch3 KBDownload

0002-T165846-REL1_27.patch3 KBDownload

0002-T165846-master.patch3 KBDownload

Reedy added a comment.Nov 10 2017, 10:20 PM
This comment was removed by Reedy.
Reedy added a comment.Nov 11 2017, 1:19 AM

0002-T165846-REL1_28.patch3 KBDownload

0002-T165846-REL1_29.patch3 KBDownload

Reedy closed this task as Resolved.Nov 13 2017, 4:18 PM

Closes as resolved (due to patches existing, and backports having been made), for ease of tracking in parent bugs

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:01 AM
Reedy removed a project: Patch-For-Review.
gerritbot subscribed.Nov 15 2017, 12:03 AM

Change 391418 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_30] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391418

gerritbot added a project: Patch-For-Review.Nov 15 2017, 12:03 AM

Change 391418 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391418

gerritbot added a comment.Nov 15 2017, 12:24 AM

Change 391434 had a related patch set uploaded (by Ejegg; owner: Anomie):
[mediawiki/core@fundraising/REL1_27] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391434

gerritbot added a comment.Nov 15 2017, 12:56 AM

Change 391434 merged by Ejegg:
[mediawiki/core@fundraising/REL1_27] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391434

gerritbot added a comment.Nov 15 2017, 12:59 AM

Change 391448 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@master] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391448

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes.Nov 15 2017, 1:01 AM
gerritbot added a comment.Nov 15 2017, 1:18 AM

Change 391448 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391448

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 15 2017, 2:00 AM
gerritbot added a comment.Nov 15 2017, 10:34 PM

Change 391709 had a related patch set uploaded (by Chad; owner: Anomie):
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391709

gerritbot added a comment.Nov 15 2017, 11:02 PM

Change 391709 merged by jenkins-bot:
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Add throttling for BotPasswords authentication attempts

https://gerrit.wikimedia.org/r/391709

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)); removed MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 16 2017, 12:01 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:33 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL