Page MenuHomePhabricator

Open redirect in wikis that use http://domain.tld/index.php format
Open, LowPublicSecurity

Description

Reported by Tony Nasr to security@

Dear Security Team,
Hope you are well and safe

Need your help to request CVE ID:
I discovered a novel open redirect vulnerability in previous MediaWiki versions 1.27.4 up to 1.31.5
Please confirm it and request a CVE ID at https://cveform.mitre.org by attributing the discovery credit to me.
You can find a detailed Markdown report report.md of the finding on this private Google Drive Folder https://drive.google.com/drive/folders/1tDZUlocekpaU0rQlMqP4PiOMvQb5k-8n

My acknowledgement details:
Full name: Tony Marcel Nasr
Address: https://www.linkedin.com/in/tony-nasr

Please confirm the receipt of this email.

Looking forward to hearing from you
Best Regards
Tony Nasr

Reproduction

Hello security team,
Hope you are well and safe


# Summary
I found an Open Redirect Vulnerability in previous MediaWiki versions.
Please I require your help to confirm it and request CVE ID.
Note that I checked and this has not been reported before or assigned CVE ID.


# Vulnerability Type
Unvalidated URL Open Redirect


# Details
- Vulnerable MediaWiki versions:
1.27.4 up to 1.31.5 (possibly more versions are affected but I only test those)

- Vulnerable URL path:
`https://HOST/index.php`

- Vulnerable HTTP GET Parameters:
`title`
`action`
`redlink`

- Full URL containing payload place-holder:
`https://HOST/index.php?title=/[Redirect-URL]&action=edit&redlink=1`

- Proof of Concept example: (redirect URL is `www.google.com`):
`https://HOST/index.php?title=/www.google.com&action=edit&redlink=1`


# Steps to Reproduce
1. Navigate to `https://HOST/Main_Page`
2. Click on "Log in" located at the top right side of the page. You will be redirected to `https://HOST/index.php?title=Special:UserLogin&returnto=Main+Page`
3. Now modify the URL so that it becomes as follows `https://HOST/index.php?title=Special:UseLogin&returnto=Aaaaaa` then load this new URL in the browser. You will be presented with a new webpage having the below content saying "No such special page"
4. On this new page, hover over "Aaaaaa" with mouse pointer and right-click to copy the hyperlink address which should look as follows `https://HOST/index.php?title=Aaaaaa&action=edit&redlink=1`
5. Now paste this copied URL into a new browser tab then modify the title parameter value so that the new URL looks as follows `https://HOST/index.php?title=/www.google.com&action=edit&redlink=1`
6. Load this new URL in the browser tab and notice how we are redirected to `https://www.google.com`


# Attack Scenario
A malicious attacker could craft a URL having as payload a malicious URL that they control and they would send it to victims. Once they visit this link they will be redirected to the controlled domain that the attacker owns and conduct further attacks from there.


# Vulnerability Impact
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.


# Thanks & Dedication
- I am thankful to God, to my wonderful girl for standing by me and for her boundless love & support and to my parents for their continuous support.
- Cheers to the Security team for their hard work keeping all the platforms secure.

TLDR version for reproduction is go to a url like https://wow.gamepedia.com/index.php?title=/example.org&action=edit&redlink=1 and you will end up at example.org

Without the redlink=1 parameter it doesn't work, so if the page existed on the wiki, it wouldn't be redirected either.

Details

Author Affiliation
Other (Please specify in description)

Event Timeline

eprodromou subscribed.

OK, we're watching for security guidance here, @Reedy. Let us know what we can do to help out, and next steps for this issue.

sbassett triaged this task as Medium priority.May 17 2021, 6:17 PM
sbassett moved this task from Frozen to Watching on the Security-Team board.
sbassett moved this task from Incoming to Frozen on the Security-Team board.

Making this public for now (largely for transparency and disclosure reasons) as it appears to impact very old versions of MediaWiki which are not being run in Wikimedia production, and should be fairly low-risk.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".May 24 2021, 3:50 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett lowered the priority of this task from Medium to Low.Aug 4 2021, 6:39 PM
sbassett changed Author Affiliation from N/A to Other (Please specify in description).
sbassett edited projects, added SecTeam-Processed; removed Security-Team.