Page MenuHomePhabricator
Create Task
Maniphest T197279

Direct POST to Special:ChangeEmail will bypass reauth check
Closed, ResolvedPublic
Actions

Description

CVE: CVE-2019-12468

It looks like User:Sundar was recently compromised via js.

Logs have something like:

  • At 2018-06-15T04:27:50 they get reauth error at botpassword
  • At 2018-06-15T04:27:51 they changed email at tawiki via Special:ChangeEmail

So it would look like attacker somehow bypassed the reauth stage to change the email. Need to investigate further

see T194204

Details

SubjectRepoBranchLines +/-
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coreREL1_33+4 -2
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coreREL1_32+4 -2
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coreREL1_31+4 -2
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coremaster+4 -2
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coreREL1_30+4 -2
SECURITY: Fix reauth in Special:ChangeEmailmediawiki/coreREL1_27+4 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Jun 15 2018, 6:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2018, 6:42 AM
Bawolff added a comment.Jun 15 2018, 7:10 AM
This comment was removed by Reedy.
Bawolff added a comment.Jun 15 2018, 7:42 AM

Also of interest, the url in the log is /w/index.php?title=Special:ChangeEmail despite it being at tawiki, where Special should have been translated. This suggests its directly posting to the page without following usual links.

Bawolff added a comment.Jun 15 2018, 7:44 AM

Also, note, the reauth log entry has the same id (WyNARgpAADoAAExxuzAAAABN) as the email changed log entry.

So maybe if you directly POST to special:Changeemail, the change will go through even if a reauth is needed?

Bawolff added a comment.Jun 15 2018, 7:51 AM

Confirmed direct post to Special:ChangeEmail will bypass the reauth workflow.

Bawolff renamed this task from Possible vulnerability in how Special:Emailuser does reauth to Direct POST to Special:ChangeEmail will bypass reauth check.Jun 15 2018, 7:52 AM
Bawolff added projects: MediaWiki-Core-AuthManager, MediaWiki-Special-pages, Vuln-Authn/Session, Vuln-DirectObjectReference.Jun 15 2018, 7:56 AM
Bawolff added a subscriber: Tgr.
MaxSem subscribed.Jun 15 2018, 8:12 AM

Am I the only one wondering why BotPasswords even allows using anything but api.php?

Bawolff added a comment.Jun 15 2018, 8:24 AM
In T197279#4287850, @MaxSem wrote:

Am I the only one wondering why BotPasswords even allows using anything but api.php?

Bot passwords does not allow using things other than API. Person first tried to add a bot password but failed, and then moved on to Special:ChangeEmail

Bawolff added a comment.EditedJun 15 2018, 8:26 AM

T197279.patch1 KBDownload

Bawolff added a comment.Jun 15 2018, 9:18 AM

[09:03] bawolff !log deploy patch T197279

Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jun 15 2018, 9:18 AM
Reedy added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Sep 21 2018, 6:14 PM
Bawolff added a comment.Sep 21 2018, 6:34 PM

Ok, it appears this got undeployed, as I accidentally put the patch in /srv/1.32.0-wmf.999/core/03-T197279.patch instead of the appropriate place, and that's how it got dropped. Redployed it today

Legoktm closed this task as Resolved.Oct 22 2018, 3:37 PM
Legoktm assigned this task to Bawolff.
Legoktm subscribed.

Closing this as there's a patch fixing it on Wikimedia sites. We'll make this public in the next MediaWiki security release.

Aklapper mentioned this in T209794: Need to make a limit of count of attempts to change email address.Nov 19 2018, 10:43 AM
Legoktm mentioned this in T205048: Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.Apr 7 2019, 11:48 PM
Jdforrester-WMF subscribed.Apr 29 2019, 7:12 PM

Closing this as there's a patch fixing it on Wikimedia sites. We'll make this public in the next MediaWiki security release.

This still hasn't happened, 10 months after the patch was deployed to production. :-(

Aklapper reopened this task as Open.May 27 2019, 9:15 AM

@Legoktm: I am reopening this task because there is no patch merged in the MediaWiki codebase, if I understand correctly.

Reedy subscribed.May 27 2019, 1:25 PM
In T197279#5214082, @Aklapper wrote:

@Legoktm: I am reopening this task because there is no patch merged in the MediaWiki codebase, if I understand correctly.

That's what we normally do, to make it easier to keep track of the status of the subtasks... As we don't have a status (that's outwardly viewable) for like "done but not completely finished"

Reedy closed this task as Resolved.May 28 2019, 1:51 PM

Re-closing for ease of tracking above

Jdforrester-WMF added a comment.May 28 2019, 2:40 PM
In T197279#5216519, @Reedy wrote:

Re-closing for ease of tracking above

It'd be much easier if the tracking what was where was done on T205041, rather than mis-categorise this as Resolved when it isn't.

Reedy added a comment.May 28 2019, 2:41 PM
In T197279#5216680, @Jdforrester-WMF wrote:
In T197279#5216519, @Reedy wrote:

Re-closing for ease of tracking above

It'd be much easier if the tracking what was where was done on T205041, rather than mis-categorise this as Resolved when it isn't.

In the same way that we resolve bugs that are fixed in master, but not deployed in WMF production? ;)

Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.May 28 2019, 2:50 PM
Reedy mentioned this in T224499: RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2.May 29 2019, 12:32 AM
Reedy added a comment.May 29 2019, 12:58 PM

Ok, so this patch depends on https://github.com/wikimedia/mediawiki/commit/3617c982c9db793515818e1468fa827ae5880358 (which wasn't in REL1_27, but was backported) and also https://github.com/wikimedia/mediawiki/commit/bfc4e41636aca33b943f8522024bd9f8eeac1977 (which isn't in REL1_31 or before)

Going to do some supporting backports now :)

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:00 PM
gerritbot added a comment.Jun 6 2019, 4:06 PM

Change 514762 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_27] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514762

gerritbot added a project: Patch-For-Review.Jun 6 2019, 4:06 PM

Change 514762 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514762

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514773 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_30] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514773

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514773 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514773

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.30-release-notes.Jun 6 2019, 5:00 PM
gerritbot added a comment.Jun 6 2019, 6:26 PM

Change 514753 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514753

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 6 2019, 7:00 PM
gerritbot added a comment.Jun 6 2019, 7:02 PM

Change 514849 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_31] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514849

gerritbot added a comment.Jun 6 2019, 8:37 PM

Change 514849 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514849

gerritbot added a comment.Jun 6 2019, 8:51 PM

Change 514949 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_32] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514949

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jun 6 2019, 9:00 PM
gerritbot added a comment.Jun 6 2019, 10:14 PM

Change 514949 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514949

ReleaseTaggerBot added a project: MW-1.32-notes.Jun 6 2019, 11:00 PM
gerritbot added a comment.Jun 6 2019, 11:01 PM

Change 514973 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_33] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514973

gerritbot added a comment.Jun 6 2019, 11:37 PM

Change 514973 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Fix reauth in Special:ChangeEmail

https://gerrit.wikimedia.org/r/514973

ReleaseTaggerBot added a project: MW-1.33-notes.Jun 7 2019, 12:01 AM
Reedy updated the task description. (Show Details)Jun 17 2019, 5:31 PM
Reedy added a comment.Jun 17 2019, 5:38 PM

Anyone know offhand how long this was an issue for?

I'm guessing it's since at least the rewrite to use authmanager in I8b52ec8ddf494f23941807638f149f15b5e46b0c / 3617c982c9db793515818e1468fa827ae5880358 but might be potentially longer (I can't see anything offhand in the change that specifically changed that behaviour)

sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL