Page MenuHomePhabricator
Create Task
Maniphest T287542

API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)
Closed, ResolvedPublicSecurity
Actions

Assigned To
Legoktm
Authored By
suffusion_of_yellow
Jul 27 2021, 11:53 PM
Tags
Referenced Files
F34585263: patch-T287542-wmf.17
Aug 5 2021, 2:18 PM
F34585262: patch-T287542-wmf.16
Aug 5 2021, 2:18 PM
F34584572: 0001-Revert-Use-CsrfTokenSet-as-CSRF-token-source.patch
Aug 5 2021, 7:09 AM
F34584559: 0001-Revert-Use-CsrfTokenSet-as-CSRF-token-source.patch
Aug 5 2021, 7:09 AM
Subscribers
Aklapper
daniel
Legoktm
matmarex
Pchelolo
sbassett
suffusion_of_yellow

Description

This is almost the same as T139570. Make sure you are logged to enwiki and aren't blocking third-party cookies, then switch to some non-WMF site, and try this in your browser console:

$.getJSON("https://en.wikipedia.org/w/api.php?action=parse&prop=headhtml&format=json&callback=?", function(r) {console.log(r.parse.headhtml["*"]);})

The expected result is for patrolToken, watchToken, and csrfToken to equal +\, and the whole response to be indistinguishable from the response to the same request made without cookies.

The actual result is the full (40-digit) tokens for your account. There are also a few other pieces of private information there, such as your skin and language choices.

Details

SubjectRepoBranchLines +/-
Revert "Use CsrfTokenSet as CSRF token source"mediawiki/coremaster+212 -302
Revert "Use CsrfTokenSet as CSRF token source"mediawiki/corewmf/1.37.0-wmf.17+212 -302
Revert "Use CsrfTokenSet as CSRF token source"mediawiki/corewmf/1.37.0-wmf.16+216 -303
Customize query in gerrit

Related Objects

Event Timeline

suffusion_of_yellow created this task.Jul 27 2021, 11:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 27 2021, 11:53 PM
DannyS712 added projects: MediaWiki-Action-API, Vuln-CSRF, Vuln-Infoleak.Jul 28 2021, 12:18 AM
Legoktm added a project: Regression.Jul 28 2021, 12:22 AM
Legoktm mentioned this in T257100: Set up automated/regular end-to-end testing of potential and past security issues.
matmarex subscribed.Jul 28 2021, 7:31 AM

Bisected, caused by rMW0d75fdb4f73d: Use CsrfTokenSet as CSRF token source. Probably the bug is caused by the change in ResourceLoaderUserOptionsModule.php, where it now uses RequestContext::getMain() instead of the local context, bypassing the limited context set up by the API in ApiMain::__construct() (search for 'lacksSameOriginSecurity').

matmarex added a subscriber: Pchelolo.Jul 28 2021, 7:33 AM
sbassett added a project: Platform Engineering.Jul 29 2021, 2:38 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett added a subscriber: daniel.
Legoktm subscribed.Aug 4 2021, 8:14 PM

Can we just revert the problematic patch?

Legoktm added a comment.Aug 5 2021, 7:09 AM

Was introduced in wmf.14 and labeled as a "risky" patch, though it had a one line commit message, no Phabricator task, etc.

Revert against master, which applies cleanly to wmf.17:

0001-Revert-Use-CsrfTokenSet-as-CSRF-token-source.patch69 KBDownload

Revert against wmf.16:

0001-Revert-Use-CsrfTokenSet-as-CSRF-token-source.patch69 KBDownload

Unless there are any objections I'd like to deploy these tomorrow given that all CSRF protection is basically bypassable right now.

Pchelolo added a comment.Aug 5 2021, 2:18 PM

Alternatively we could revert just the problematic piece of a large patch. Tested locally that this is solving the problem:

patch-T287542-wmf.161 KBDownload

patch-T287542-wmf.171 KBDownload

Legoktm added a comment.Aug 5 2021, 10:01 PM
In T287542#7263394, @Pchelolo wrote:

Alternatively we could revert just the problematic piece of a large patch. Tested locally that this is solving the problem:

patch-T287542-wmf.161 KBDownload

patch-T287542-wmf.171 KBDownload

Are you planning to deploy these? They aren't really deployable, they're not patch files with commit metadata...

I'm also not really sold that the patch was appropriate in the first place, that it caused a security issue is just another factor on top.

sbassett subscribed.EditedAug 5 2021, 10:16 PM

@Legoktm @Pchelolo - Given the discussion above, the Security-Team would prefer a revert of the original change set and the completion of any relevant backports, as I don't think we have a great idea what, if any, additional security or performance issues may have been introduced by c697641. Once that has been completed, we'd recommend filing a bug and resubmitting the change set.

Legoktm added a comment.Aug 5 2021, 11:36 PM

I deployed the reverts in production and verified that the provided POC no longer works. The master revert will be merged shortly.

sbassett moved this task from Watching to Incoming on the Security-Team board.Aug 6 2021, 4:46 PM
Legoktm closed this task as Resolved.Aug 10 2021, 6:31 PM
Legoktm claimed this task.
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Legoktm changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Aug 12 2021, 3:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL