Page MenuHomePhabricator
Create Task
Maniphest T265810

mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621)
Closed, ResolvedPublicSecurity
Actions

Description

Identified this issue when checkusering a suspicious account; one of the IPs the account used was mw-ext-FileImporter, and at first glance it looked like it was some sort of shared IP because the "readout" on the CU result said:

  • 2620:0:860:2:208:80:153:61 (block) (16:40, 21 September 2020 -- 03:33, 12 October 2020) [35] (~2,288 from all users)
  • Check of the IP revealed that it ends every CU log entry with IP: 2620:0:860:2:208:80:153:61 mw-ext-FileImporter/* (https://www.mediawiki.org/wiki/Extension:FileImporter)

This is a problem.
*First, it doesn't give the XFF or true IP address of the person using the extension. It is acting essentially as an open proxy.
*Second, it's not restricted in its use to people with File Mover permission. The account I was checking does not have that permission.
*Third, if someone who used this extension recently got blocked with "autoblock" selected (as is standard on English Wikipedia), it would cause cascading blocks to every other user who tried to use the extension during the block period, until we figured out what was happening. It would essentially disable this extension on English Wikipedia.

Not sure how this wasn't noticed/reported before. But I was doing the Checkuser with the expectation that I would be blocking the account involved, and this was a close call. It is only a matter of luck that it hasn't happened already.

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Set originalRequest (incl. X-Forwarded-For) for remote editsmediawiki/extensions/FileImporterREL1_35+13 -2
Set originalRequest (incl. X-Forwarded-For) for remote editsmediawiki/extensions/FileImporterwmf/1.36.0-wmf.14+11 -2
Set originalRequest (incl. X-Forwarded-For) for remote editsmediawiki/extensions/FileImporterwmf/1.36.0-wmf.13+11 -2
Set originalRequest (incl. X-Forwarded-For) for remote editsmediawiki/extensions/FileImportermaster+11 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Risker created this task.Oct 18 2020, 4:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2020, 4:46 AM
SQL added a comment.Oct 18 2020, 4:48 AM

Non-ideal at best. This should report the user's address.

https://whois.toolforge.org/gateway.py?lookup=true&ip=2620%3A0%3A860%3A2%3A208%3A80%3A153%3A61

Aklapper added a project: Move-Files-To-Commons.Oct 18 2020, 9:50 AM
Urbanecm added subscribers: Lea_WMDE, awight, Lena_WMDE, Urbanecm.Oct 18 2020, 11:02 AM

Adding few people from WMDE based on https://phabricator.wikimedia.org/project/members/2671/.

Tks4Fish subscribed.Oct 18 2020, 12:40 PM
Risker added a subscriber: AmandaNP.Oct 18 2020, 7:02 PM
This comment was removed by Risker.
AmandaNP added a parent task: Restricted Task.Oct 18 2020, 7:06 PM
awight added subscribers: Andrew-WMDE, lilients_WMDE.Oct 19 2020, 1:06 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.Oct 19 2020, 3:26 PM
awight added subscribers: thiemowmde, WMDE-Fisch.Oct 20 2020, 9:05 AM
awight added projects: Unplanned-Sprint-Work, WMDE-QWERTY-Sprint-2020-10-07.Oct 20 2020, 10:15 AM
thiemowmde moved this task from Backlog to Tickets in sprint on the Move-Files-To-Commons board.Oct 20 2020, 10:42 AM

@Risker, thanks for the report. Based on the idea that an X-Forwarded-For header might be missing somewhere, we reviewed the FileImporter's workflow. So far we can think of only one place that might be related: when FileImporter does an remote edit to mark the file on the source wiki as {{NowCommons}}. I created a proof-of-concept patch at https://gerrit.wikimedia.org/r/635265. Unfortunately we aren't able to confirm this at the moment. No team member does have CheckUser rights. Can you point us to a revision ID that was attributed to this awkward FileImporter IP?

Urbanecm added a comment.EditedOct 20 2020, 11:37 AM

@thiemowmde As long as originalRequest will add the header, your patch seems to be correct. You can find a list of five examples at P13028 (NDA-only paste; you can subscribe other WMDE staff if needed; note almost all pages are deleted, happy to screenshot the history if needed).

thiemowmde added a comment.Oct 20 2020, 12:09 PM

Awesome, thanks! I don't want to past a user or file name here. But the list confirms this is indeed about the remote edits that mark the source file as being moved to commons. The summary line for all edits in question is This file is now on Wikimedia Commons at https://commons.wikimedia.org/wiki/File:… (moved with FileImporter).

Lena_WMDE moved this task from Sprint Backlog to Doing on the WMDE-QWERTY-Sprint-2020-10-07 board.Oct 20 2020, 12:14 PM
thiemowmde claimed this task.Oct 20 2020, 12:22 PM
thiemowmde moved this task from Doing to Review on the WMDE-QWERTY-Sprint-2020-10-07 board.

Note the patch will fix this only for future edits. Edits already in the cuc_ip database table will still contain a wrong IP address. Please let us know if you think this is a problem that needs fixing.

Urbanecm added a comment.Oct 20 2020, 12:32 PM

@thiemowmde I don't think you can fix it - the IP isn't stored anywhere now.

Urbanecm added a comment.Oct 20 2020, 1:08 PM

/me impersonates gerritbot

Change 635265 approved by Urbanecm:
[mediawiki/extensions/FileImporter@master] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635265

Urbanecm added a comment.Oct 20 2020, 1:26 PM

/me impersonates gerritbot

Change 635265 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@master] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635265

Change 635039 had a related patch set uploaded (by Urbanecm; owner Urbanecm):
[mediawiki/extensions/FileImporter@wmf/1.36.0-wmf.13] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635039

Change 635040 had a related patch set uploaded (by Urbanecm; owner Urbanecm):
[mediawiki/extensions/FileImporter@wmf/1.36.0-wmf.14] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635040

thiemowmde mentioned this in rEFLIff0ec0ac1ce5: Set originalRequest (incl. X-Forwarded-For) for remote edits.Oct 20 2020, 1:31 PM
Urbanecm mentioned this in rEFLI5f8d3de14c11: Set originalRequest (incl. X-Forwarded-For) for remote edits.Oct 20 2020, 2:00 PM
Urbanecm mentioned this in rEFLI5eee9b773338: Set originalRequest (incl. X-Forwarded-For) for remote edits.Oct 20 2020, 2:46 PM
Urbanecm closed this task as Resolved.Oct 20 2020, 2:48 PM

I've deployed the change. Should work fine now.

Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.16; 2020-11-03).Oct 20 2020, 3:00 PM
Urbanecm edited projects, added MW-1.36-notes (1.36.0-wmf.13; 2020-10-12); removed MW-1.36-notes (1.36.0-wmf.16; 2020-11-03).Oct 20 2020, 3:02 PM

Adding wmf.13 tag, because this is deployed as-of wmf.13.

sbassett triaged this task as Low priority.Oct 20 2020, 4:12 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett mentioned this in T263810: Write and send supplementary release announcement for extensions and skins with security patches (1.31.11/1.35.1).
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Oct 20 2020, 4:14 PM
gerritbot added a comment.Oct 20 2020, 4:15 PM

Change 635328 had a related patch set uploaded (by Urbanecm; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@REL1_35] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635328

gerritbot added a comment.Oct 20 2020, 9:37 PM

Change 635328 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@REL1_35] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635328

thiemowmde mentioned this in rEFLIa3f025ff07ad: Set originalRequest (incl. X-Forwarded-For) for remote edits.Oct 20 2020, 9:39 PM
thiemowmde moved this task from Review to Done on the WMDE-QWERTY-Sprint-2020-10-07 board.Oct 21 2020, 7:05 AM
sbassett renamed this task from mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension to mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621).Oct 22 2020, 8:28 PM
sbassett added a project: Vuln-Misconfiguration.Mar 16 2021, 9:29 PM
RhinosF1 subscribed.Mar 16 2021, 9:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits