Page MenuHomePhabricator
Create Task
Maniphest T239959

Improper Access Control on accounts.wmflabs.org
Closed, DeclinedPublic
Actions

Description

Dear Security Team,

I am a security researcher and i found out a critical file on your website that shouldn't be visible to users. Please fix it.

Vulnerable URL:

Thanks and Regards

Event Timeline

ROOTxDEAD created this task.Dec 5 2019, 11:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2019, 11:27 PM
Reedy added a project: Striker.Dec 6 2019, 12:04 AM
Reedy subscribed.

I am a security researcher and i found out a critical file on your website that shouldn't be visible to users. Please fix it.

Why are the critical? Why shouldnt' they be shown?

Again, these are all public files available in a git repo at https://github.com/wikimedia/labs-striker

None of them contain any private data

ROOTxDEAD added a comment.Dec 6 2019, 1:12 AM

Noted

Aklapper added a comment.Dec 6 2019, 11:14 AM

Does that mean this task should be declined and made public?

sbassett subscribed.EditedDec 6 2019, 3:26 PM

Hey @ROOTxDEAD - for most Wikimedia code repos and websites, config/test/doc files like these (and some other ones you've reported) are very intentionally made publicly available. I understand that other organizations and businesses might be more interested in keeping things like this locked down, but that is not the case for Wikimedia. So if you could refrain from filing security tasks of this nature, that would be great.

However, something we would care about would be any publicly-served config/test/doc files which contained obviously sensitive information such as passwords, private keys, etc. We would absolutely appreciate you reporting those to us if you happen to find any.

sbassett triaged this task as Low priority.Dec 6 2019, 3:26 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Backlog / Other to Done on the acl*security board.
sbassett closed this task as Declined.Dec 6 2019, 3:29 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL