Page MenuHomePhabricator
Create Task
Maniphest T262724

Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005)
Closed, ResolvedPublicSecurity
Actions

Description

ApiPush does not verify the targets parameter and therefore allows sending arbitrary requests. In addition, the login request sends the username and password as plain text. So a hacker can create a script and pass the url of the script as the target parameter and then catch the username and password there.

Related Objects

Event Timeline

tosfos created this task.Sep 11 2020, 9:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:10 PM
tosfos renamed this task from Push extenison exposes login credentials to Push extension exposes login credentials.Sep 11 2020, 9:10 PM
tosfos added a comment.Sep 11 2020, 9:14 PM

There is actually a patch in review that quietly fixes this issue. It is https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988

tosfos assigned this task to Pastakhov.Sep 11 2020, 9:15 PM
Aklapper added a project: MediaWiki-extensions-Push.Sep 12 2020, 8:04 AM
sbassett removed a project: Security-Team.Sep 14 2020, 3:12 PM
sbassett mentioned this in T256342: Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0).Sep 14 2020, 3:19 PM
sbassett subscribed.Sep 14 2020, 3:48 PM

I believe this is related to the security@ email we received from Ike Hecht? Anyhow, I've softly +1'd the patch and am tracking this bug on T256342 for the next security release. If you need help with backports, requesting a CVE, etc, let us know.

Aklapper added a comment.Sep 14 2020, 5:02 PM

Yes, tosfos == Ike.

sbassett mentioned this in T256341: Obtain CVEs for 1.31.9/1.34.3/1.35.0 security releases.Sep 23 2020, 9:16 PM

@tosfos - just wanted to check in and see if https://gerrit.wikimedia.org/r/625988 was getting close to being merged. I think we'd like to include it within T256342, which will likely be sent out within a day or two. If it won't be merged before then, then we can save it for the next release.

tosfos added a comment.Sep 23 2020, 9:54 PM

I think it's ready, but I don't have +2 on that repo.

sbassett added a comment.Sep 24 2020, 7:55 PM
In T262724#6489619, @tosfos wrote:

I think it's ready, but I don't have +2 on that repo.

I can +2 it, but I'd rather someone with a bit more experience with the Push extension sign off on CR. I think any official Wikimedia announcement should likely wait until next quarter's security and supplemental release unless someone can sign off on this today or tomorrow.

sbassett closed this task as Resolved.Nov 17 2020, 10:32 PM
sbassett mentioned this in T263810: Write and send supplementary release announcement for extensions and skins with security patches (1.31.11/1.35.1).

https://gerrit.wikimedia.org/r/625988 appears merged, so I'm going to resolve this for now. I'm tracking this for the next supplemental security announcement for extensions/skins: T263810. We should make this task public, if possible, unless other wikis are still being alerted about the security issue.

sbassett added projects: Vuln-CSRF, Vuln-Infoleak.Nov 24 2020, 2:34 AM
sbassett renamed this task from Push extension exposes login credentials to Push extension exposes login credentials (CVE-2020-29004).Dec 1 2020, 5:48 PM
sbassett renamed this task from Push extension exposes login credentials (CVE-2020-29004) to Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005).
tosfos added a comment.EditedDec 1 2020, 8:05 PM

Should we be alerting the wikis using this extension? Is there a process for identifying who uses it (wikiapiary?) and who to contact? It seems like anyone using this extension is on an obsolete version of MediaWiki right now: https://wikiapiary.com/wiki/Extension:Push

sbassett added a comment.Dec 1 2020, 8:16 PM
In T262724#6660909, @tosfos wrote:

Should we be alerting the wikis using this extension? Is there a process for identifying who uses it (wikiapiary?) and who to contact? It seems like anyone using this extension is on an obsolete version of MediaWiki right now: https://wikiapiary.com/wiki/Extension:Push

We (as in the WMF) aren't really resourced to do this. The most we tend to do for non-bundled, non-Wikimedia-production extensions, skins, services, etc. is help review security patches, backport security patches, request relevant CVEs and send out quarterly announcements of recently-patched code bases (e.g. T256342). It is hoped that this provides enough resources and visibility of security issues so that MediaWiki operators can patch at their convenience. That being said, if anyone has the cycles and desire to reach out to affected MediaWiki operators (such as those listed upon wikiapiary) the Security-Team would certainly encourage such an action.

tosfos added a comment.Dec 3 2020, 11:30 PM

Fully understood. We started alerting wikis from WikiApiary. Please give us (WikiTeq) a week to try and find others. At that time, please feel free to publicize.

sbassett added a comment.Dec 4 2020, 6:56 PM
In T262724#6668218, @tosfos wrote:

Please give us (WikiTeq) a week to try and find others. At that time, please feel free to publicize.

Sure, I'll try to set a reminder or feel free to just ping me on this task once you feel this can be publicly disclosed.

sbassett triaged this task as Low priority.Dec 22 2020, 9:37 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits