Page MenuHomePhabricator

Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005)
Closed, ResolvedPublicSecurity

Description

ApiPush does not verify the targets parameter and therefore allows sending arbitrary requests. In addition, the login request sends the username and password as plain text. So a hacker can create a script and pass the url of the script as the target parameter and then catch the username and password there.

Event Timeline

tosfos renamed this task from Push extenison exposes login credentials to Push extension exposes login credentials.Sep 11 2020, 9:10 PM

There is actually a patch in review that quietly fixes this issue. It is https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988

I believe this is related to the security@ email we received from Ike Hecht? Anyhow, I've softly +1'd the patch and am tracking this bug on T256342 for the next security release. If you need help with backports, requesting a CVE, etc, let us know.

@tosfos - just wanted to check in and see if https://gerrit.wikimedia.org/r/625988 was getting close to being merged. I think we'd like to include it within T256342, which will likely be sent out within a day or two. If it won't be merged before then, then we can save it for the next release.

I think it's ready, but I don't have +2 on that repo.

I think it's ready, but I don't have +2 on that repo.

I can +2 it, but I'd rather someone with a bit more experience with the Push extension sign off on CR. I think any official Wikimedia announcement should likely wait until next quarter's security and supplemental release unless someone can sign off on this today or tomorrow.

https://gerrit.wikimedia.org/r/625988 appears merged, so I'm going to resolve this for now. I'm tracking this for the next supplemental security announcement for extensions/skins: T263810. We should make this task public, if possible, unless other wikis are still being alerted about the security issue.

sbassett renamed this task from Push extension exposes login credentials to Push extension exposes login credentials (CVE-2020-29004).Dec 1 2020, 5:48 PM
sbassett renamed this task from Push extension exposes login credentials (CVE-2020-29004) to Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005).

Should we be alerting the wikis using this extension? Is there a process for identifying who uses it (wikiapiary?) and who to contact? It seems like anyone using this extension is on an obsolete version of MediaWiki right now: https://wikiapiary.com/wiki/Extension:Push

Should we be alerting the wikis using this extension? Is there a process for identifying who uses it (wikiapiary?) and who to contact? It seems like anyone using this extension is on an obsolete version of MediaWiki right now: https://wikiapiary.com/wiki/Extension:Push

We (as in the WMF) aren't really resourced to do this. The most we tend to do for non-bundled, non-Wikimedia-production extensions, skins, services, etc. is help review security patches, backport security patches, request relevant CVEs and send out quarterly announcements of recently-patched code bases (e.g. T256342). It is hoped that this provides enough resources and visibility of security issues so that MediaWiki operators can patch at their convenience. That being said, if anyone has the cycles and desire to reach out to affected MediaWiki operators (such as those listed upon wikiapiary) the Security-Team would certainly encourage such an action.

Fully understood. We started alerting wikis from WikiApiary. Please give us (WikiTeq) a week to try and find others. At that time, please feel free to publicize.

Please give us (WikiTeq) a week to try and find others. At that time, please feel free to publicize.

Sure, I'll try to set a reminder or feel free to just ping me on this task once you feel this can be publicly disclosed.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".