Page MenuHomePhabricator

CVE-2021-30158: Allow blocked users to access Special:ResetTokens
Closed, ResolvedPublicSecurity

Description

If users knowing his watchlist feed then being able to view his watchlist an unlimited number of times before block end his, And the user that is blocked must accept only, because he does not have method to be able to reset key.

Event Timeline

IN renamed this task from If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block. to If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block.Mar 10 2021, 7:57 AM
IN added a project: MediaWiki-Watchlist.
Aklapper changed the task status from Open to Stalled.Mar 10 2021, 8:11 AM

Hi @IN, thanks for taking the time to report this. Please always follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide:

  • a clear and complete list of exact steps to reproduce the situation, step by step, so that nobody needs to guess or interpret how you performed each step,
  • what happens after performing these steps to reproduce,
  • what you expected to happen instead and why you think that is a Security problem,
  • a full link to a web address where the issue can be seen.

In separate sections.

You can edit the task description by clicking Edit Task. Ideally, a good description should allow any other person to follow these steps (without having to interpret steps) and see the same results. Problems that others can reproduce can get fixed faster. Thanks again.

Aklapper renamed this task from If a user shares his watchlist key before being blocked, his watchlist key cannot be modified in any way during the duration of the block to If a user shares their watchlist token before being blocked, their token cannot be modified during the duration of the block.Mar 10 2021, 8:11 AM

The specific steps are as follows:
0. Share your own feed token on test wiki.

  1. Block yourself on testwiki.
  2. Visit https://w.wiki/35Bb .
  3. You can see:

Your username or IP address has been blocked.

The block was made by ‪yourself. The reason given is test for T277009

Start of block: just now
Expiration of block: […]
Intended blockee: ‪yourself
You can contact yourself‬ or another administrator to discuss the block. You can use the "Email this user" feature if a valid email address is specified in your preferences and you have not been blocked from using it. Your current IP address is […], and the block ID is #[…]. Please include all above details in any queries you make.

And you can't reset your key because it's overwritten by block notice, It cannot be modified under any circumstances.

And you can't reset your key because it's overwritten by block notice.

Why would you want to reset your token if you are blocked anyway?
How is that a security issue, see https://www.mediawiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue ?
Please read my previous comment, which asked for "what you expected to happen instead and why you think that is a Security problem".

And you can't reset your key because it's overwritten by block notice.

Why would you want to reset your token if you are blocked anyway?
How is that a security issue, see https://www.medi%61wiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue ?
Please read my previous comment, which asked for "what you expected to happen instead and why you think that is a Security problem".

Because the token has already been shared. This is a security issue because the user's token is already publicly visible but he doesn't have the ability to reset the token, because he happens to be blocked. In other words, If the token of a blocked user is made public, the blocked user cannot change the token in any case.

In T277009#6899512, @IN wrote:

Because the token has already been shared. This is a security issue because the user's token is already publicly visible

@IN: Where exactly is the token publicly visible to someone who is not the user themselves? Where can I see your token, basically? Please follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide complete steps to reproduce some situation. Thanks.

@IN: You linked to https://test.wikipedia.org/w/index.php?title=Special:ResetTokens&returnto=Special%3APreferences&uselang=en (please avoid obfuscating links).
That page says "You can reset tokens which allow access to certain private data associated with your account here. You should do it if you accidentally shared them with someone or if your account has been compromised." I do not see a Security issue here, but a Privacy issue. If you see a Security issue, then please see https://www.mediawiki.org/wiki/Reporting_security_bugs#What_is_Considered_A_Security_Issue and explain what the Security issue is. Thanks.

We should definitely allow blocked users to use Special:ResetTokens. I'm not sure exactly if I'd consider it a Vuln-Infoleak since it relies on the watchlist token being distributed/compromised but it's something we should allow for. I think this was accidental rather than intentional, it just uses the default from FormSpecialPage.

In T277009#6899512, @IN wrote:

Because the token has already been shared. This is a security issue because the user's token is already publicly visible

@IN: Where exactly is the token publicly visible to someone who is not the user themselves? Where can I see your token, basically? Please follow https://www.mediawiki.org/wiki/How_to_report_a_bug and provide complete steps to reproduce some situation. Thanks.

Watchlist tokens allow access to your watchlist, so you can use them for RSS feeds, or even have a shared watchlist amongst multiple users. The token should be unguessable, but the more likely scenario here is that you share it with someone or accidentally leak it and need to reset it. Special:ResetTokens is the way to do that, except it currently disallows blocked users from using it.

Patch:


(I can submit to Gerrit instead if this isn't considered a security issue)

Patch:

Code-Review +2

Patch:


(I can submit to Gerrit instead if this isn't considered a security issue)

Untested, but makes sense - assuming that Jenkins wouldn't object, +2 from me - not sure if this needs to be deployed as a security patch or can go through gerrit, I think gerrit would be fine (please add me as a reviewer if done on gerrit)

sbassett triaged this task as Medium priority.Mar 10 2021, 4:58 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a subscriber: sbassett.

Untested, but makes sense - assuming that Jenkins wouldn't object, +2 from me - not sure if this needs to be deployed as a security patch or can go through gerrit, I think gerrit would be fine (please add me as a reviewer if done on gerrit)

IMO, this is low-risk to push through gerrit, so feel free to do that.

I feel like this doesn't need a pick/deploy to wmf.34 and can wait until next week, unless anyone has more serious concerns.

IN renamed this task from If a user shares their watchlist token before being blocked, their token cannot be modified during the duration of the block to Allow blocked users to access Special:ResetTokens.EditedMar 11 2021, 7:47 AM
IN updated the task description. (Show Details)

I think this task should be a feature request, not a security issue. Can someone change it to FEATURE?

Because it's really a privacy issue, so please do not expose this task until a new version is released. After the new version is released, the task is over, so it can be make public.

In T277009#6903536, @IN wrote:

I think this task should be a feature request, not a security issue. Can someone change it to FEATURE?

It's a lightweight user Vuln-DoS so we can keep the Security label.

Because it's really a privacy issue, so please do not expose this task until a new version is released. After the new version is released, the task is over, so it can be make public.

Yes, we can keep this task protected probably until Thursday of next week, after c954cc85ea is cut with wmf.35 and makes it to all wiki groups. The gerrit change set is already public, of course, but this is low-risk enough imo, and the change set discreet enough, that it shouldn't be problematic.

@IN: ? What "mission"?
Was that a question whether to resolve this ticket now that https://gerrit.wikimedia.org/r/c/mediawiki/core/+/670546 has been merged?

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
In T277009#6928372, @IN wrote:

Is this mission over now?

If you mean "can we resolve the task and make it public because the patch is now on wmf.35 and deployed to all wikis?", the answer to that question is yes. I'll go ahead and do that now.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 19 2021, 3:48 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Reedy renamed this task from Allow blocked users to access Special:ResetTokens to CVE-2021-30158: Allow blocked users to access Special:ResetTokens.Tue, Apr 6, 7:13 PM