Page MenuHomePhabricator
Create Task
Maniphest T239730

Improper Access Control on timeless.wmflabs.org
Closed, InvalidPublic
Actions

Description

Dear Security Team,

I am a security researcher and i found out a critical file on your website that shouldn't be visible to users. Please fix this ASAP.

Vulnerable URL:

Thanks and Regards

Event Timeline

ROOTxDEAD created this task.Dec 3 2019, 5:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2019, 5:12 PM
Reedy added a project: Cloud-VPS.Dec 3 2019, 5:21 PM
Reedy added a subscriber: Isarra.
chasemp triaged this task as Low priority.Dec 3 2019, 6:01 PM
Aklapper renamed this task from Improper Access Control to Improper Access Control on timeless.wmflabs.org.Dec 3 2019, 6:59 PM
MaxSem subscribed.Dec 4 2019, 6:50 AM

Considering Toolforge's goals and open access, I don't think phpinfo() output should be considered non-public there.

sbassett subscribed.EditedDec 4 2019, 3:01 PM
In T239730#5711161, @MaxSem wrote:

Considering Toolforge's goals and open access, I don't think phpinfo() output should be considered non-public there.

I'd agree. As a security best practice, it's always advisable to limit information disclosure as much as possible, even for the often minor items that phpinfo() displays. However these types of vulnerabilities are, at best, low-risk. And within the context of Wikimedia and OSS it could be argued that they aren't vulnerabilities at all.

sbassett added a project: Vuln-Infoleak.Dec 4 2019, 3:03 PM
sbassett added a comment.Dec 6 2019, 3:39 PM

Getting a 502 Bad Gateway for any url at timeless.wmflabs.org. I suppose that technically resolves this issue, even if it isn't really an issue :) @Isarra or another project owner for timeless.wmflabs.org - if you can provide any update here, that would be great, otherwise I'll plan to decline and make this task public soon.

chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
fnegri moved this task from Backlog to Security on the Cloud-VPS board.Jul 11 2023, 10:48 AM
taavi closed this task as Invalid.Fri, Apr 12, 10:00 AM
taavi subscribed.

timeless.wmflabs.org doesn't seem to exist anymore.

sbassett assigned this task to taavi.Fri, Apr 12, 1:20 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett added a project: SecTeam-Processed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL