Page MenuHomePhabricator
Create Task
Maniphest T284400

Wikitech 2FA can be bypassed in Striker via Django admin console login
Closed, ResolvedPublicSecurity
Actions

Description

Toolforge admin accounts (maintainers of the admin tool) can manage Striker via the Django admin console at https://toolsadmin.wikimedia.org/contrib-admin/. Logging in via its internal login form and not the main one will bypass 2-factor authentication. Not sure if this applies to all accounts or just admins.

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Use normal login flow for admin sitelabs/strikermaster+82 -14
Customize query in gerrit

Event Timeline

taavi created this task.Jun 6 2021, 2:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2021, 2:30 PM
taavi added a project: Striker.Jun 6 2021, 2:31 PM
sbassett triaged this task as Medium priority.Jun 7 2021, 4:46 PM
sbassett edited projects, added Tools, SecTeam-Processed, Vuln-MissingAuthz; removed Security-Team.
taavi edited projects, added cloud-services-team (Kanban); removed Tools.Jun 7 2021, 5:18 PM
Bstorm subscribed.Jun 7 2021, 6:21 PM

Nice find!

bd808 renamed this task from Striker 2FA can be bypassed via Django admin console login to Wikitech 2FA can be bypassed in Striker via Django admin console login.Jun 7 2021, 7:20 PM
bd808 subscribed.Jun 7 2021, 7:23 PM

Wikitech 2FA is also bypassed by Gerrit and Phabricator in all operations. The effort I went to to support the spirit of Wikitech 2FA in Striker was pretty large, and honestly I'm not really convinced that it was worth it. If there is any fix here it is probably figuring out how to completely disable the contrib-admin login flow.

Bstorm added a comment.Jun 7 2021, 8:59 PM
In T284400#7139965, @bd808 wrote:

Wikitech 2FA is also bypassed by Gerrit and Phabricator in all operations. The effort I went to to support the spirit of Wikitech 2FA in Striker was pretty large, and honestly I'm not really convinced that it was worth it. If there is any fix here it is probably figuring out how to completely disable the contrib-admin login flow.

That was my thinking. I actually didn't notice this interface was even there. The interface looks like it could even be useful, but that doesn't mean it totally fits the security model of the site.

bd808 added a comment.Jun 8 2021, 12:11 AM
In T284400#7140368, @Bstorm wrote:

I actually didn't notice this interface was even there.

It is not linked anywhere in the public UI. It is semi-obvious if you are used to doing Django development and look at the urls.py router setup.

The interface looks like it could even be useful, but that doesn't mean it totally fits the security model of the site.

The /contrib-admin/ route exposes Django's https://docs.djangoproject.com/en/2.2/ref/contrib/admin/ which can be much nicer to use than direct db calls when browsing the db as a "root" user.

Following https://docs.djangoproject.com/en/2.2/ref/contrib/admin/#root-and-login-templates and setting up a login template and form that doesn't actually log you in would be one way to disable the login here. In theory these same settings could be used to replace the default form and auth flow too, but I'm not sure that is actually needed.

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:51 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
taavi claimed this task.Mar 6 2024, 1:58 PM
taavi moved this task from Backlog to Doing on the Striker board.
taavi added a project: Patch-For-Review.

This is low-risk enough that I'm pushing this through Gerrit. https://gerrit.wikimedia.org/r/c/labs/striker/+/1009258

taavi closed this task as Resolved.Mar 7 2024, 11:38 AM
taavi changed the visibility from "Custom Policy" to "Public (No Login Required)".
taavi changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL