Page MenuHomePhabricator
Create Task
Maniphest T223654

AbuseFilterCheckMatch API reveals suppressed edits and usernames (CVE-2021-31547)
Closed, ResolvedPublic
Actions

Assigned To
Daimona
Authored By
suffusion_of_yellow
May 17 2019, 6:13 PM
Tags
Referenced Files
F34120094: 02-T223654-api.patch
Feb 23 2021, 7:53 PM
F34120086: 02-T223654-api.patch
Feb 23 2021, 7:34 PM
F34095121: T223654-api.patch
Feb 8 2021, 1:57 PM
F34095059: T223654-view.patch
Feb 8 2021, 12:37 PM
F34095060: T223654-api.patch
Feb 8 2021, 12:37 PM
F34095057: T223654-api.patch
Feb 8 2021, 12:30 PM
F33983702: T223654-api.patch
Jan 3 2021, 3:15 PM
F33983703: T223654-view.patch
Jan 3 2021, 3:15 PM
View All 11 Files
Subscribers
Aklapper
Amorymeltzer
Daimona
DannyS712
Huji
jeena
matej_suchanek
View All 15 Subscribers

Description

The fix for T207085 is incomplete.

(Part 1) Suppressed usernames can still be recovered (by any user, even logged out) from page histories via the page_recent_contributors variable. This can be done by examining any un-suppressed recent change to the page, or (possibly) by triggering a filter that lazy-loads that variable. Of course, this will only work until ten distinct editors touch the page, but for some pages (for instance user pages that have been accidentally edited logged out) that could take a very long time.
-->This is covered by T71367

(Part 2) Both api.php?action=abusefiltertestmatch and Special:Abusefilter/test allow anyone with the abusefilter-view-private or abusefilter-modify rights to recover, one bit at a time, the full details of any suppressed abuse log entry, and the partial details of any suppressed recent change. For example, suppose new_wikitext == "XYZZY".

Then we can try:

new_wikitext rlike "^[\x80-\xff]" (false, so first bit is 0)
new_wikitext rlike "^[\x40-\x7f]" (true, so first bits are 01)
new_wikitext rlike "^[\x60-\x7f]" (false, so first bits are 010)
...

This would be tedious to do by hand, but a trivial script could unhide any desired variable within minutes or hours. The same trick also works on recent changes, but only on the username and summary, not the wikitext.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/AbuseFilterREL1_31+32 -1SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch
mediawiki/extensions/AbuseFilterREL1_35+31 -1SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch
mediawiki/extensions/AbuseFilterREL1_31+29 -0SECURITY: Skip deleted RCs in /test if we're only showing matches
mediawiki/extensions/AbuseFilterREL1_35+25 -1SECURITY: Skip deleted RCs in /test if we're only showing matches
mediawiki/extensions/AbuseFiltermaster+26 -0SECURITY: Skip deleted RCs in /test if we're only showing matches
mediawiki/extensions/AbuseFiltermaster+33 -2SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch
Customize query in gerrit

Related Objects
Search...

Event Timeline

suffusion_of_yellow created this task.May 17 2019, 6:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 17 2019, 6:13 PM
suffusion_of_yellow added subscribers: Amorymeltzer, Daimona, Rxy.May 17 2019, 6:15 PM
Reedy added a project: AbuseFilter.May 18 2019, 12:38 AM
Daimona added a comment.May 18 2019, 9:19 AM

Part 1 is duplicate of T71367, and the solution is not straightforward.

As for Part 2, yes, that's true. I guess we should forbid /test etc. for suppressed entries. Although, TBH, I thought we already did it.

Daimona added a project: User-Daimona.May 18 2019, 9:19 AM
suffusion_of_yellow added a comment.EditedMay 18 2019, 8:46 PM

@Daimona: I can't see T71367, but are you sure it's the same? To be clear, there are really three ways page_recent_contributors (and, I just realized, page_first_contributor) can reveal a hidden username:

  1. Alice edits logged out, contacts oversight. Oversight does its thing. Later, Bob sees the struck out entry, goes to /examine and finds the IP. No abuse filters are ever tripped on the page.
  2. Alice edits logged out, conatcts oversight. Oversight does its thing. Later, Bob sees the struck out entry, tries to replace the page with "fuck", then goes to his abuse log entry and finds the IP.
  3. Alice edits logged out, contacts oversight. Meanwhile, Vance, who knows nothing of these goings-on, tries to replace the page with "fuck". Too late, oversight does its thing. Later, Bob notices the struck-out entry, goes to the abuse log for the page, finds Vance's entry, and recovers the IP from the log.

(3), indeed, sounds like a PITA to fix, since the username is already baked into the log, but it's not going to be exploitable in most cases. Plus, oversighters can suppress Vance's entry as well, if they remember to look for it. However, couldn't (1) and (2) be fixed by checking rev_deleted in getLastPageAuthors(), etc.?

Daimona added a comment.May 22 2019, 1:23 PM

@suffusion_of_yellow Well, that variable is definitely open to info leaks, whatever the source. As you said, (3) is very hard to fix because when the later-suppressed stuff is already in the DB, there's little we can do. As for (1) and (2), what I meant to say (and what I sort of said in the other task), is that checking rev_deleted against the user rights means that filtering depends on the user performing the action, and using the visibility for a public audience means limiting the amount of available data anyway. I'll explain with an example. Suppose you have an LTA who creates usernames containing the name of another user + some swears; suppose this LTA always edits pages they've already edited. In this case, it may be logical to check page_recent_contributors contains "recognizable-piece". However, suppose that edits from this LTA are constantly being suppressed because the usernames are deemed too offensive. In this case, you cannot use such a check if page_recent_contributors is redacted. A situation like this may be very, very rare (and one could use other checks/countermeasures), but there might be others of which I didn't think. Of note, this creates a distinction between (1) and (2): for (1) we can definitely use the current user's right, whereas (2) is exactly about the example above.
That being said, we can surely check rev_deleted if we think the costs would outweigh the benefits. I just wanted to make it clear that the correctness of checking rev_deleted is not obvious.

Daimona merged a task: Restricted Task.May 23 2019, 3:41 PM
Daimona added a subscriber: DannyS712.
suffusion_of_yellow added a subscriber: TonyBallioni.Jul 4 2019, 6:16 AM
MarcoAurelio added a project: Vuln-Infoleak.Jul 4 2019, 9:28 AM
TonyBallioni added a subscriber: Oshwah.Jul 4 2019, 12:56 PM
DannyS712 added a subscriber: Huji.Sep 8 2019, 11:18 AM
DannyS712 mentioned this in T191740: Bundle AbuseFilter extension with MediaWiki.Sep 13 2019, 4:49 PM
CCicalese_WMF added a parent task: T191740: Bundle AbuseFilter extension with MediaWiki.Sep 13 2019, 4:58 PM
Daimona mentioned this in T71367: page_recent_contributors leaks revdeleted user names (CVE-2021-31545).Sep 18 2019, 12:30 PM
Daimona updated the task description. (Show Details)
Daimona added a comment.Sep 18 2019, 12:33 PM

The page_recent_contributors part already has its own task, so I've moved it there. Now I'm going to patch the second part.

Daimona claimed this task.Sep 18 2019, 12:55 PM

Both api.php?action=abusefiltertestmatch and Special:Abusefilter/test allow anyone with the abusefilter-view-private or abusefilter-modify rights to recover, one bit at a time, the full details of any suppressed abuse log entry,

For Special:AbuseFilter/test: yes, that's "intended" and there's not much we can do. That page allows testing a filter against recent changes, not AbuseLog entries. If you want to forbid testing a suppressed AbuseLog entry, you should also suppress the corresponding revision (which is usually done, AFAIK). /test has no knowledge about the AbuseLog, so there's nothing we can do about that.

and the partial details of any suppressed recent change.

I also /test with a suppressed revision (and not AbuseLog entry). It is correctly refusing to load the edit if you don't have enough rights.

The API, however, does let unprivileged users test the edit in case of both suppressed AbuseLog and RC entries. That's because the module doesn't check the visibility, and this should really be fixed.

The same trick also works on recent changes, but only on the username and summary, not the wikitext.

I think that's covered by the comment above.

So, IIUC the only thing to be fixed here is the CheckMatch API not checking rc_deleted for RC entries, and afl_deleted (+ rc_deleted) AbuseLog entries. I'm going to write a patch for that.

Daimona added a project: Patch-For-Review.Sep 18 2019, 1:29 PM
Daimona added subscribers: sbassett, Reedy.

T223654.patch4 KBDownload

CC @Reedy @sbassett @Huji @matej_suchanek for review

sbassett added a comment.Sep 20 2019, 8:14 PM

@Daimona: +1 to the patch above (T223654#5502973) in that it seems sane, though I did not test locally. Let me know if you'd like me to do that.

Daimona renamed this task from AbuseFilter examine and test features reveal suppressed edits and usernames to AbuseFilterCheckMatch API reveals suppressed edits and usernames.Sep 21 2019, 10:37 AM
Daimona added a comment.Sep 21 2019, 10:47 AM
In T223654#5511853, @sbassett wrote:

@Daimona: +1 to the patch above (T223654#5502973) in that it seems sane, though I did not test locally. Let me know if you'd like me to do that.

As you wish :) I'm going to give reproduction steps anyway:

Preliminary

  • Have two users: user A in the 'suppress' group and with the 'abusefilter-hide-log' permission; user B with only the abusefilter-view-private permission.
  • Create a catch-all abuse filter (1==1), with no consequences

1 - Deleted revision

  • Create a page, make two edits
  • Suppress the second edit while logged as user A
  • Log in as B and make a request to `api.php?action=abusefiltercheckmatch&format=json&filter=1&rcid=<RecentChanges ID of the second edit>
  • It should return an error saying that the revision is hidden

2 - Deleted AbuseLog entry

  • Pick one of the AbuseLog entries created while editing the page (possibly one not referring to the now-suppressed revision)
  • Log as user A and change its visibility from Special:AbuseLog, by clicking 'change visibility'. Ensure to tick the checkbox in the next page.
  • Log as user B and make a request to `api.php?action=abusefiltercheckmatch&format=json&filter=1&logid=<AbuseLog ID of the chosen entry>
  • It should return an error saying that the entry is hidden
Oshwah added a comment.Oct 18 2019, 7:44 PM

Can someone add me to T71367 please?

sbassett added a comment.Oct 18 2019, 7:50 PM

@Oshwah - just subbed you on T71367.

Oshwah added a comment.Oct 18 2019, 9:52 PM

@sbassett - Thank you. :-)

suffusion_of_yellow added a comment.Nov 26 2019, 7:49 PM

For Special:AbuseFilter/test: yes, that's "intended" and there's not much we can do. That page allows testing a filter against recent changes, not AbuseLog entries. If you want to forbid testing a suppressed AbuseLog entry, you should also suppress the corresponding revision (which is usually done, AFAIK). /test has no knowledge about the AbuseLog, so there's nothing we can do about that.

Yeah, sorry, I should have been clearer (and got back to this sooner!). What I meant was that /test allows matching against the user_name and summary of revdelled (and, I think, suppressed) recent changes (not the revision text). For example:

  1. Go to /test on enwiki.
  2. Put User_talk:ST47 in the page field
  3. Set the pattern to user_name rlike "Artvro"
  4. Do not check "Show changes that do not match the filter"

This is the only match:

diff hist User talk:ST47‎ 07:01 +197‎ (Username or IP removed)‎ (edit summary removed) (hidden because revision has been deleted)

Now change the pattern to user_name rlike "Brtvro"

The same line does not appear. So we can conclude that "Artvro" is somewhere in the username.

Daimona added a comment.Nov 26 2019, 8:02 PM

@suffusion_of_yellow Ahhhh thanks. Point (4.) is vital here, then. If you do check that checkbox, deleted/suppressed edits have no symbol next to them, but indeed, it's still exploitable.

Given that it's unrelated to the API module, I'd like to send another patch for that (probably tomorrow unless someone beats me to it). We could deploy them at the same time, though.

Daimona added a comment.Nov 27 2019, 11:12 AM

Here is the whole thing:

Patch for ViewTestBatch:

T223654-2.patch1 KBDownload

Patch for the API module:

T223654-1.patch4 KBDownload

Both need to be approved & merged & deployed.

Daimona removed a project: User-Daimona.Nov 27 2019, 3:25 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:12 PM
chasemp added a project: Security.Feb 10 2020, 10:57 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
Daimona added a project: User-Daimona.Aug 20 2020, 12:05 PM
Daimona moved this task from Backlog to Ideas for overhaul on the User-Daimona board.
Daimona added a subscriber: matej_suchanek.Sep 16 2020, 3:20 PM
Daimona edited projects, added AbuseFilter (Overhaul-2020); removed User-Daimona, AbuseFilter.Sep 16 2020, 3:28 PM
Daimona added a comment.Jan 3 2021, 3:15 PM

Rebased and improved both patches:

T223654-api.patch5 KBDownload

T223654-view.patch2 KBDownload

matej_suchanek moved this task from Backlog to In progress on the AbuseFilter (Overhaul-2020) board.Jan 8 2021, 10:24 AM
sbassett mentioned this in T71617: AbuseFilter logs suppression deletions (CVE-2021-31546).Feb 5 2021, 4:02 PM
Daimona added a comment.Feb 8 2021, 12:30 PM

API patch rebased and updated to avoid adding i18n.

T223654-api.patch5 KBDownload

Daimona added a comment.Feb 8 2021, 12:37 PM

Rebased view patch:

T223654-view.patch2 KBDownload

And API patch again, I forgot to remove i18n files in the end:

T223654-api.patch3 KBDownload

Daimona added a comment.Feb 8 2021, 1:57 PM

Fixed an error discovered while testing

T223654-api.patch4 KBDownload

Urbanecm added a project: Security-Team.Feb 8 2021, 2:09 PM
Urbanecm added a subscriber: Urbanecm.

Deployed.

15:07 <Urbanecm> !log Deploy security patch for T223654
15:08 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Adding Security-Team for backports, etc.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Feb 8 2021, 4:05 PM
sbassett added a comment.Feb 8 2021, 10:24 PM
In T223654#6811150, @Urbanecm wrote:

Deployed.

Thanks.

Adding Security-Team for backports, etc.

I'm tracking this on the supplemental patch for now: T270466. I'll try to get to the backports (at least for master) and CVE this week.

sbassett mentioned this in T270466: Write and send supplementary release announcement for extensions and skins with security patches (1.31.13/1.35.2).Feb 8 2021, 10:24 PM
jeena raised the priority of this task from Medium to Unbreak Now!.Feb 23 2021, 6:56 PM
jeena added a subscriber: jeena.

/extensions/AbuseFilter/02-T223654-api.patch failed to apply for 1.36.0-wmf.32 (conflict on line 28)
As a result the train is blocked, help! :)

Daimona added a comment.Feb 23 2021, 7:21 PM
In T223654#6853973, @jeena wrote:

/extensions/AbuseFilter/02-T223654-api.patch failed to apply for 1.36.0-wmf.32 (conflict on line 28)
As a result the train is blocked, help! :)

rEABF5d4025d8c90214ff4446d5166232496d739000f9 is the conflicting commit, and the conflict itself is easy to fix. I can't do anything beyond pointing to that, though.

sbassett added a comment.EditedFeb 23 2021, 7:22 PM

@jeena - per @Daimona's comment above, this is due to a change in one conditional FWICT. The fastest way to fix this is probably to do a git apply -3 and just manually select the new conditional, which should be the one here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/665374/3/includes/Api/CheckMatch.php

(until we can get an updated patch ready)

sbassett added a comment.EditedFeb 23 2021, 7:34 PM

So turning the conditional change in the patch for includes/Api/CheckMatch.php into a noop doesn't corrupt it and lets the patch apply. A little hacky, but this should be fine for /srv/patches unless/until something else changes.

New patch:

02-T223654-api.patch4 KBDownload

Eh, I was being a bit lazy. This one should work and avoids the hackiness above:

02-T223654-api.patch3 KBDownload

sbassett lowered the priority of this task from Unbreak Now! to Low.Mar 9 2021, 9:44 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
gerritbot added a comment.Mar 9 2021, 9:44 PM

Change 670304 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/670304

RhinosF1 added a subscriber: RhinosF1.Mar 9 2021, 9:46 PM
gerritbot added a comment.Mar 9 2021, 9:46 PM

Change 670305 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/670305

gerritbot added a comment.Mar 9 2021, 10:41 PM

Change 670304 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/670304

gerritbot added a comment.Mar 9 2021, 10:50 PM

Change 670305 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/670305

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.35; 2021-03-16).Mar 9 2021, 11:00 PM
gerritbot added a comment.Apr 12 2021, 10:40 PM

Change 678650 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/678650

gerritbot added a comment.Apr 12 2021, 10:52 PM

Change 678651 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/678651

gerritbot added a comment.Apr 12 2021, 11:36 PM

Change 678650 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/678650

gerritbot added a comment.Apr 12 2021, 11:36 PM

Change 678651 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/678651

gerritbot added a comment.Apr 12 2021, 11:40 PM

Change 678654 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/678654

gerritbot added a comment.Apr 12 2021, 11:57 PM

Change 678654 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Skip deleted RCs in /test if we're only showing matches

https://gerrit.wikimedia.org/r/678654

gerritbot added a comment.Apr 12 2021, 11:58 PM

Change 678657 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/678657

Reedy closed this task as Resolved.Apr 13 2021, 12:22 AM
gerritbot added a comment.Apr 13 2021, 12:25 AM

Change 678657 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch

https://gerrit.wikimedia.org/r/678657

sbassett renamed this task from AbuseFilterCheckMatch API reveals suppressed edits and usernames to AbuseFilterCheckMatch API reveals suppressed edits and usernames (CVE-2021-31547).Apr 23 2021, 6:49 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL