Page MenuHomePhabricator

mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621)
Closed, ResolvedPublicSecurity

Description

Identified this issue when checkusering a suspicious account; one of the IPs the account used was mw-ext-FileImporter, and at first glance it looked like it was some sort of shared IP because the "readout" on the CU result said:

  • 2620:0:860:2:208:80:153:61 (block) (16:40, 21 September 2020 -- 03:33, 12 October 2020) [35] (~2,288 from all users)
  • Check of the IP revealed that it ends every CU log entry with IP: 2620:0:860:2:208:80:153:61 mw-ext-FileImporter/* (https://www.mediawiki.org/wiki/Extension:FileImporter)

This is a problem.
*First, it doesn't give the XFF or true IP address of the person using the extension. It is acting essentially as an open proxy.
*Second, it's not restricted in its use to people with File Mover permission. The account I was checking does not have that permission.
*Third, if someone who used this extension recently got blocked with "autoblock" selected (as is standard on English Wikipedia), it would cause cascading blocks to every other user who tried to use the extension during the block period, until we figured out what was happening. It would essentially disable this extension on English Wikipedia.

Not sure how this wasn't noticed/reported before. But I was doing the Checkuser with the expectation that I would be blocking the account involved, and this was a close call. It is only a matter of luck that it hasn't happened already.

Event Timeline

Risker created this task.Oct 18 2020, 4:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2020, 4:46 AM
This comment was removed by Risker.
DeltaQuad added a parent task: Restricted Task.Oct 18 2020, 7:06 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.Oct 19 2020, 3:26 PM

@Risker, thanks for the report. Based on the idea that an X-Forwarded-For header might be missing somewhere, we reviewed the FileImporter's workflow. So far we can think of only one place that might be related: when FileImporter does an remote edit to mark the file on the source wiki as {{NowCommons}}. I created a proof-of-concept patch at https://gerrit.wikimedia.org/r/635265. Unfortunately we aren't able to confirm this at the moment. No team member does have CheckUser rights. Can you point us to a revision ID that was attributed to this awkward FileImporter IP?

Urbanecm added a comment.EditedOct 20 2020, 11:37 AM

@thiemowmde As long as originalRequest will add the header, your patch seems to be correct. You can find a list of five examples at P13028 (NDA-only paste; you can subscribe other WMDE staff if needed; note almost all pages are deleted, happy to screenshot the history if needed).

Awesome, thanks! I don't want to past a user or file name here. But the list confirms this is indeed about the remote edits that mark the source file as being moved to commons. The summary line for all edits in question is This file is now on Wikimedia Commons at https://commons.wikimedia.org/wiki/File:… (moved with FileImporter).

thiemowmde moved this task from Doing to Review on the WMDE-QWERTY-Sprint-2020-10-07 board.

Note the patch will fix this only for future edits. Edits already in the cuc_ip database table will still contain a wrong IP address. Please let us know if you think this is a problem that needs fixing.

@thiemowmde I don't think you can fix it - the IP isn't stored anywhere now.

/me impersonates gerritbot

Change 635265 approved by Urbanecm:
[mediawiki/extensions/FileImporter@master] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635265

/me impersonates gerritbot

Change 635265 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@master] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635265

Change 635039 had a related patch set uploaded (by Urbanecm; owner Urbanecm):
[mediawiki/extensions/FileImporter@wmf/1.36.0-wmf.13] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635039

Change 635040 had a related patch set uploaded (by Urbanecm; owner Urbanecm):
[mediawiki/extensions/FileImporter@wmf/1.36.0-wmf.14] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635040

Urbanecm closed this task as Resolved.Oct 20 2020, 2:48 PM

I've deployed the change. Should work fine now.

Adding wmf.13 tag, because this is deployed as-of wmf.13.

sbassett triaged this task as Low priority.Oct 20 2020, 4:12 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 635328 had a related patch set uploaded (by Urbanecm; owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/FileImporter@REL1_35] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635328

Change 635328 merged by jenkins-bot:
[mediawiki/extensions/FileImporter@REL1_35] Set originalRequest (incl. X-Forwarded-For) for remote edits

https://gerrit.wikimedia.org/r/635328

sbassett renamed this task from mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension to mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621).Oct 22 2020, 8:28 PM