Page MenuHomePhabricator
Create Task
Maniphest T250594

globaluserinfo api allows access to information about hidden users (CVE-2020-12051)
Closed, ResolvedPublicSecurity
Actions

Description

https://login.wikimedia.org/wiki/Special:CentralAuth/Jyosei_and_nodobotoke_sine shows There is no global account for "Jyosei and nodobotoke sine" because the account was hidden/hideuser/whatever stewards do

https://login.wikimedia.org/w/api.php?action=query&meta=globaluserinfo&guiuser=Jyosei%20and%20nodobotoke%20sine&guiprop=groups%7Cmerged%7Cunattached returns the account`s globaluserinfo, and while it notes that the account is missing, it then proceeds to give all of the information anyway

As a user, when I query the globaluserinfo for a global account, and I do not have access to see the account, I should not receive information about the account via the api

Details

SubjectRepoBranchLines +/-
SECURITY: Do not leak user info via APImediawiki/extensions/CentralAuthREL1_31+4 -0
SECURITY: Do not leak user info via APImediawiki/extensions/CentralAuthREL1_33+4 -0
SECURITY: Do not leak user info via APImediawiki/extensions/CentralAuthREL1_34+4 -0
SECURITY: Do not leak user info via APImediawiki/extensions/CentralAuthmaster+4 -0
Customize query in gerrit

Related Objects

Event Timeline

DannyS712 created this task.Apr 19 2020, 12:13 AM
Restricted Application added a project: User-DannyS712. · View Herald TranscriptApr 19 2020, 12:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.Apr 19 2020, 12:15 AM
DannyS712 added projects: MediaWiki-extensions-CentralAuth, Vuln-Infoleak, Stewards-and-global-tools.
DannyS712 added a comment.EditedApr 19 2020, 12:44 AM

I'm unable to test this, since I don't have CentralAuth set up, but just setting $userExists to false in ApiQueryGlobalUserInfo::execute when labelling the user as missing might be enough:

T250594.patch (v.1)1 KBDownload

Urbanecm assigned this task to DannyS712.Apr 20 2020, 9:04 AM
Urbanecm triaged this task as High priority.
Urbanecm subscribed.

Sounds sane, just the commit message doesn't comply with our current commit message guidelines for security patches - it should start with SECURITY:. see https://www.mediawiki.org/wiki/Developing_security_patches.

DannyS712 added a comment.EditedApr 20 2020, 9:04 AM

Version 2 with fixed commit message:

T250594.patch1 KBDownload

Urbanecm added a comment.EditedApr 20 2020, 9:23 AM
11:19 <Urbanecm> !log Security deploy for T250594
In T250594#6070596, @DannyS712 wrote:

Version 2 with fixed commit message:

T250594.patch1 KBDownload

Live as of this patch. Danny helped me to test this patch in production, and it works. When logged in, I'm able to view account details, but Danny can't (as well as me in incognito window).

@sbassett Could you do the final honours, please?

Urbanecm added a subscriber: sbassett.Apr 20 2020, 9:23 AM
DannyS712 moved this task from Reports to In progress on the User-DannyS712 board.Apr 20 2020, 9:32 AM
DannyS712 moved this task from Untriaged to High priority on the Stewards-and-global-tools board.
DannyS712 updated the task description. (Show Details)
sbassett added a comment.Apr 21 2020, 2:16 AM
In T250594#6070658, @Urbanecm wrote:

Live as of this patch. Danny helped me to test this patch in production, and it works. When logged in, I'm able to view account details, but Danny can't (as well as me in incognito window).

@sbassett Could you do the final honours, please?

I assume you just mean making this task public? Also, thanks for the testing and deploy.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 21 2020, 2:16 AM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
Krenair subscribed.Apr 21 2020, 2:18 AM
DannyS712 added a comment.EditedApr 21 2020, 2:19 AM

@sbassett this hasn't been merged to the master branch, just production, if I understand correctly, and so the "final honours" was any public commit needed

sbassett added a comment.Apr 21 2020, 2:20 AM
In T250594#6074036, @DannyS712 wrote:

@sbassett this hasn't been merged to the master branch, just production, if I understand correctly, and so the "final honours" was any public commit needed

Ok, I can get the backports going.

gerritbot added a comment.Apr 21 2020, 2:26 AM

Change 591250 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@master] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591250

gerritbot added a comment.Apr 21 2020, 2:27 AM

Change 591251 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_34] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591251

gerritbot added a comment.Apr 21 2020, 2:27 AM

Change 591252 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_33] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591252

gerritbot added a comment.Apr 21 2020, 2:28 AM

Change 591253 had a related patch set uploaded (by SBassett; owner: dannys712-main):
[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591253

sbassett added a comment.EditedApr 21 2020, 2:37 AM

A CVE has also been requested - will update this task when I have the ID.

gerritbot added a comment.Apr 21 2020, 2:43 AM

Change 591250 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591250

Jdforrester-WMF added projects: MW-1.35-notes (1.35.0-wmf.30; 2020-04-28), MW-1.31-release-notes, MW-1.33-notes, MW-1.34-notes.Apr 21 2020, 5:15 PM
gerritbot added a comment.Apr 21 2020, 5:23 PM

Change 591251 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_34] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591251

gerritbot added a comment.Apr 21 2020, 5:23 PM

Change 591253 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_31] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591253

gerritbot added a comment.Apr 21 2020, 5:24 PM

Change 591252 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_33] SECURITY: Do not leak user info via API

https://gerrit.wikimedia.org/r/591252

sbassett renamed this task from globaluserinfo api allows access to information about hidden users to globaluserinfo api allows access to information about hidden users (CVE-2020-12051).Apr 23 2020, 2:42 AM
sbassett mentioned this in T248542: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.8/1.33.4/1.34.2).Apr 23 2020, 2:50 AM
sbassett closed this task as Resolved.Apr 23 2020, 2:52 AM
sbassett moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.
DannyS712 moved this task from In progress to Merged on the User-DannyS712 board.May 27 2020, 8:36 AM
DannyS712 mentioned this in T256742: Unable to set final story points for security issue subtype.Jun 30 2020, 11:25 AM
Zabe subscribed.Sep 25 2021, 1:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits