CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	taavi
	Mar 3 2021, 10:05 AM

Description

Steps to reproduce

Using a suppressor account, completely block and suppress an user (User:Abusive username in my example), i.e. block talk page and emails, and select "Hide username from edits and lists"
While logged out, view Special:Contributions/Abusive username
Observe the toolbar at the top of the page.

Expected results

The page does not show any indications that the account exists.

Actual results

Links to user talk, logs, etc, are shown, while they are not shown for non-existent users.

See screenshots:

Details

	Subject	Repo	Branch	Lines +/-
	SECURITY: Do not reveal existence of hidden users in Special:Contribs	mediawiki/core	REL1_36	+5 -1
	SECURITY: Do not reveal existence of hidden users in Special:Contribs	mediawiki/core	master	+5 -1

Customize query in gerrit

Related Objects

Mentioned In: T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127)
T270459: Tracking bug for MediaWiki 1.31.13/1.35.2
Mentioned Here: T211910: Don't show misleading messages on Special:Contributions for IP ranges outside the CIDR limit
rMW032dc91f4796: Don't show action links for IP ranges outside block limit
T270458: Release MediaWiki 1.31.13/1.35.2
rMWb5e7f210cd31: SECURITY: Act like users don't exist if hidden from viewer

Event Timeline

taavi created this task.Mar 3 2021, 10:05 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2021, 10:05 AM

taavi added projects: Vuln-Infoleak, MediaWiki-Blocks, MediaWiki-Special-pages.Mar 3 2021, 10:08 AM

Looks like this is related to {T120883}/CVE-2020-35480 which I can't see. This is still reproducible on master even when b5e7f21 has been merged.

Turns out this was just a spot missed on that previous task. See attached patch set for a fix.

T276306-PS1.patch1 KBDownload

Patch approved and deployed to both MW versions.

@sbassett Over to you to handle the final honors :).

sbassett added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 3 2021, 5:53 PM

Holding for the next security release (T270458) - please keep this task private for now. Also tracking as a current production security patch (T276237).

DannyS712 subscribed.Mar 3 2021, 11:18 PM

Reedy mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 30 2021, 12:40 AM

Reedy assigned this task to taavi.Mar 30 2021, 1:08 AM

Restricted Application added a project: User-Majavah. · View Herald TranscriptMar 30 2021, 1:08 AM

taavi moved this task from Unsorted to Done on the User-Majavah board.Mar 30 2021, 9:15 AM

Hmm. Does this apply to REL1_35/REL1_31?

It only looks like it applies to master, as it builds ontop of rMW032dc91f4796: Don't show action links for IP ranges outside block limit / T211910: Don't show misleading messages on Special:Contributions for IP ranges outside the CIDR limit which added the $userObj->isRegistered() check to the if

Reedy added a subscriber: Ammarpad.Apr 5 2021, 12:19 AM

Reedy renamed this task from Special:Contributions toolbar reveals existence of hidden users to CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Apr 6 2021, 7:12 PM

Looks to me like this is a prod-only one, so we can just push it into gerrit now.

Reedy removed a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Apr 6 2021, 8:43 PM

Just tested with a REL1_35 install, the same issue is present even if it will need a modified patch due to changes in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/589659.

Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Apr 6 2021, 9:12 PM

In T276306#6978045, @Majavah wrote:

Just tested with a REL1_35 install, the same issue is present even if it will need a modified patch due to changes in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/589659.

Discussed on IRC... REL1_35 (and 1_31) just puts the sub heading on all talk pages. So there's nothing being disclosed in those versions. Vs what is there in master, which checks if it's a valid IP, or if the target user is registered. This is done without checking if the user doing the viewing has the permission to.

Will put it on gerrit

Reedy removed a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Apr 6 2021, 9:28 PM

Reedy added a subscriber: gerritbot.Apr 6 2021, 9:37 PM

Change 677370 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677370

Reedy closed this task as Resolved.Apr 6 2021, 10:06 PM

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".

Reedy changed the edit policy from "Custom Policy" to "All Users".

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.1; 2021-04-13).Apr 6 2021, 11:00 PM

Change 677960 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/core@REL1_36] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677960

gerritbot added a project: Patch-For-Review.Apr 8 2021, 8:59 PM

There is another place that oversighted users are leaked (you can see my mention if you can see security tasks).

Change 677960 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677960

ReleaseTaggerBot added a project: MW-1.36-notes.Apr 9 2021, 1:00 AM

Zabe mentioned this in T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127).Jun 20 2021, 4:59 PM

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 21 2021, 8:10 PM

sbassett removed a project: Patch-For-Review.

	F34133819: T276306-PS1.patch
	Mar 3 2021, 10:46 AM

CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden usersClosed, ResolvedPublicSecurityActions