Page MenuHomePhabricator

CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users
Closed, ResolvedPublicSecurity

Description

Steps to reproduce

  1. Using a suppressor account, completely block and suppress an user (User:Abusive username in my example), i.e. block talk page and emails, and select "Hide username from edits and lists"
  2. While logged out, view Special:Contributions/Abusive username
  3. Observe the toolbar at the top of the page.

Expected results

  1. The page does not show any indications that the account exists.

Actual results

  1. Links to user talk, logs, etc, are shown, while they are not shown for non-existent users.

See screenshots:

image.png (131×461 px, 13 KB)

image.png (234×501 px, 19 KB)

Event Timeline

Looks like this is related to {T120883}/CVE-2020-35480 which I can't see. This is still reproducible on master even when b5e7f21 has been merged.

Turns out this was just a spot missed on that previous task. See attached patch set for a fix.

Patch approved and deployed to both MW versions.

@sbassett Over to you to handle the final honors :).

sbassett removed a project: Patch-For-Review.

Holding for the next security release (T270458) - please keep this task private for now. Also tracking as a current production security patch (T276237).

Hmm. Does this apply to REL1_35/REL1_31?

It only looks like it applies to master, as it builds ontop of rMW032dc91f4796: Don't show action links for IP ranges outside block limit / T211910: Don't show misleading messages on Special:Contributions for IP ranges outside the CIDR limit which added the $userObj->isRegistered() check to the if

Reedy renamed this task from Special:Contributions toolbar reveals existence of hidden users to CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Apr 6 2021, 7:12 PM

Looks to me like this is a prod-only one, so we can just push it into gerrit now.

Just tested with a REL1_35 install, the same issue is present even if it will need a modified patch due to changes in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/589659.

In T276306#6978045, @Majavah wrote:

Just tested with a REL1_35 install, the same issue is present even if it will need a modified patch due to changes in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/589659.

Discussed on IRC... REL1_35 (and 1_31) just puts the sub heading on all talk pages. So there's nothing being disclosed in those versions. Vs what is there in master, which checks if it's a valid IP, or if the target user is registered. This is done without checking if the user doing the viewing has the permission to.

Will put it on gerrit

Change 677370 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677370

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".

Change 677960 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/core@REL1_36] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677960

There is another place that oversighted users are leaked (you can see my mention if you can see security tasks).

Change 677960 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: Do not reveal existence of hidden users in Special:Contribs

https://gerrit.wikimedia.org/r/677960