Page MenuHomePhabricator

globaluserinfo api allows access to information about hidden users (CVE-2020-12051)
Closed, ResolvedPublicSecurity

Description

https://login.wikimedia.org/wiki/Special:CentralAuth/Jyosei_and_nodobotoke_sine shows There is no global account for "Jyosei and nodobotoke sine" because the account was hidden/hideuser/whatever stewards do

https://login.wikimedia.org/w/api.php?action=query&meta=globaluserinfo&guiuser=Jyosei%20and%20nodobotoke%20sine&guiprop=groups%7Cmerged%7Cunattached returns the account`s globaluserinfo, and while it notes that the account is missing, it then proceeds to give all of the information anyway

As a user, when I query the globaluserinfo for a global account, and I do not have access to see the account, I should not receive information about the account via the api

Event Timeline

Restricted Application added a project: User-DannyS712. · View Herald TranscriptApr 19 2020, 12:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 added a comment.EditedApr 19 2020, 12:44 AM

I'm unable to test this, since I don't have CentralAuth set up, but just setting $userExists to false in ApiQueryGlobalUserInfo::execute when labelling the user as missing might be enough:

Urbanecm triaged this task as High priority.
Urbanecm added a subscriber: Urbanecm.

Sounds sane, just the commit message doesn't comply with our current commit message guidelines for security patches - it should start with SECURITY:. see https://www.mediawiki.org/wiki/Developing_security_patches.

DannyS712 added a comment.EditedApr 20 2020, 9:04 AM

Version 2 with fixed commit message:

Urbanecm added a comment.EditedApr 20 2020, 9:23 AM
11:19 <Urbanecm> !log Security deploy for T250594

Version 2 with fixed commit message:

Live as of this patch. Danny helped me to test this patch in production, and it works. When logged in, I'm able to view account details, but Danny can't (as well as me in incognito window).

@sbassett Could you do the final honours, please?

DannyS712 moved this task from Reports to In progress on the User-DannyS712 board.Apr 20 2020, 9:32 AM
DannyS712 moved this task from Untriaged to High priority on the Stewards-and-global-tools board.
DannyS712 updated the task description. (Show Details)

Live as of this patch. Danny helped me to test this patch in production, and it works. When logged in, I'm able to view account details, but Danny can't (as well as me in incognito window).

@sbassett Could you do the final honours, please?

I assume you just mean making this task public? Also, thanks for the testing and deploy.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 21 2020, 2:16 AM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
DannyS712 added a comment.EditedApr 21 2020, 2:19 AM

@sbassett this hasn't been merged to the master branch, just production, if I understand correctly, and so the "final honours" was any public commit needed

@sbassett this hasn't been merged to the master branch, just production, if I understand correctly, and so the "final honours" was any public commit needed

Ok, I can get the backports going.

Change 591250 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@master] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591250

Change 591251 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_34] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591251

Change 591252 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_33] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591252

Change 591253 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591253

sbassett added a comment.EditedApr 21 2020, 2:37 AM

A CVE has also been requested - will update this task when I have the ID.

Change 591250 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591250

Change 591251 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_34] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591251

Change 591253 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591253

Change 591252 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_33] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591252

sbassett renamed this task from globaluserinfo api allows access to information about hidden users to globaluserinfo api allows access to information about hidden users (CVE-2020-12051).Apr 23 2020, 2:42 AM
sbassett closed this task as Resolved.Apr 23 2020, 2:52 AM
sbassett moved this task from Incoming to Done on the MediaWiki-extensions-CentralAuth board.
DannyS712 moved this task from In progress to Merged on the User-DannyS712 board.May 27 2020, 8:36 AM