Page MenuHomePhabricator
Create Task
Maniphest T210791

The origin param in the Action API exposes intranet installs to any web page
Closed, DeclinedPublic
Actions

Description

Problem
Since the CORS header can be set with an API param, that means a site can make a request to an intranet site and it will work.

Example:
I have a MediaWiki install setup at 192.168.1.1 and it is only accessible on the local network. I visit https://example.com and that website makes an XHR request to http://192.168.1.1. and sets the origin param to *. This allows example.com to read everything on my wiki that was only accessible over the local network.

Solution
The origin parameter should be removed and the configuration should be global (i.e. for all requests) and set in LocalSettings.php For Wikimedia Wikis, see T210790

Alternative Solution
One could argue that the intranet site is exposed to any client application, and therefor, is not a problem. If that is the case, then the origin parameter is useless and should be removed and all requests should have Access-Control-Allow-Origin: *

Related Objects

Event Timeline

dbarratt created this task.Nov 29 2018, 9:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2018, 9:41 PM
dbarratt added a project: MediaWiki-Action-API.Nov 29 2018, 9:42 PM
dbarratt added subscribers: aezell, Tchanders, Mooeypoo, dmaza.
dbarratt updated the task description. (Show Details)Nov 29 2018, 9:46 PM
sbassett subscribed.Nov 29 2018, 9:53 PM
Bawolff subscribed.Nov 30 2018, 12:13 AM

Hmmm.

On one hand, I kind of feel like its a browser issue - Should they really allow globally routed internet apps make requests to private IP space intranet app. But that's probably kind of impossible.

I think that people who want private version of mediawiki should ensure that anon users do not have read rights.

That said, maybe we should disable origin=* if $wgServer is a private IP address.

dbarratt added a comment.Nov 30 2018, 4:08 AM
In T210791#4787819, @Bawolff wrote:

On one hand, I kind of feel like its a browser issue - Should they really allow globally routed internet apps make requests to private IP space intranet app. But that's probably kind of impossible.

That's the purpose of the same-origin policy. Our software is providing an exception to that policy.

dbarratt updated the task description. (Show Details)Nov 30 2018, 4:14 AM
dbarratt added a comment.Nov 30 2018, 4:23 AM

In fact, we're allowing the client to make that exception, which makes the setting pointless. If we set Access-Control-Allow-Origin: * on every request, we'd have the same thing we have now (as far as I can tell).

I for one, am in favor of doing that, but regardless, the client should not be allowed to make an exception to the same-origin policy for itself.

Bawolff added a comment.Nov 30 2018, 5:00 AM
In T210791#4788124, @dbarratt wrote:
In T210791#4787819, @Bawolff wrote:

On one hand, I kind of feel like its a browser issue - Should they really allow globally routed internet apps make requests to private IP space intranet app. But that's probably kind of impossible.

That's the purpose of the same-origin policy. Our software is providing an exception to that policy.

I think its debatable if access control to intranet sites is really in the threat model of the same origin policy (for example, consider https://en.wikipedia.org/wiki/DNS_rebinding attacks more generally). [Of course, at some point that doesn't matter. We have to deal with the consequences regardless]

I would also say that configuring mediawiki to allow full read access without logging in, and then try and restrict mediawiki solely by placing it on an internal network, is probably not exactly best practise. There are probably other attacks possible here even without CORS (e.g. Cause mediawiki to do something with a secret via a cross origin write (SOP only prevents reads not writes), and then try and leak it through some sort of caching side channel. I'm sure a dedicated attacker could find some way to do this in a scenario when all users have full read access but MW is in private network).

dbarratt added a comment.Nov 30 2018, 5:20 AM
In T210791#4788142, @Bawolff wrote:

I think its debatable if access control to intranet sites is really in the threat model of the same origin policy (for example, consider https://en.wikipedia.org/wiki/DNS_rebinding attacks more generally). [Of course, at some point that doesn't matter. We have to deal with the consequences regardless]

I didn't think it was, but after a long (albeit, heated) discussion it seems like that is exactly the threat model of the same-origin policy. At least for credential-less cross-origin requests, but the browser will not send credentials cross-origin, so it is a matter of intranet sites.

Bawolff added a comment.Nov 30 2018, 2:22 PM
I didn't think it was, but after a long (albeit, heated) discussion it seems like that is exactly the threat model of the same-origin policy. At least for credential-less cross-origin requests, but the browser will not send credentials cross-origin, so it is a matter of intranet sites.

I think that thread is more suggesting, that changing the way same origin policy works would be an absolute nightmare, and that intranet sites have started to depend on this behaviour.

All I'm saying, is that the same origin policy is somewhat weak for protecting this usecase (The enforcement of SOP is much weaker then the general assumption that the private IP space will prevent all external access), and setting up mediawiki in this way is probably mildly problematic

On the public internet, cookies are the most common way to manage state. But there are probably sites that do other things.

But this all is beside the point.

Anomie moved this task from Unsorted to Needs details or plan on the MediaWiki-Action-API board.Nov 30 2018, 2:45 PM
Anomie subscribed.
In T210791#4788142, @Bawolff wrote:

I would also say that configuring mediawiki to allow full read access without logging in, and then try and restrict mediawiki solely by placing it on an internal network, is probably not exactly best practise. There are probably other attacks possible here even without CORS

e.g. jsonp.

I'm inclined to decline this task.

dbarratt added a comment.Dec 1 2018, 12:05 AM

I mean I think that's fine to say that we don't support open MediaWiki installs on private intranets (without some sort of other authorization).

Honestly, I don't think we should. :) So feel free to close.

Anomie closed this task as Declined.Dec 3 2018, 6:46 PM
In T210791#4790648, @dbarratt wrote:

Honestly, I don't think we should. :) So feel free to close.

Ok. Thanks for bringing it up for discussion Just In Case™.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 3 2018, 7:09 PM
dbarratt mentioned this in T210790: Allow cross-origin requests by default in the Action API.Jun 19 2019, 4:30 PM
dbarratt updated the task description. (Show Details)Jun 19 2019, 4:41 PM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL