Page MenuHomePhabricator
Create Task
Maniphest T289180

PAWS discloses ToolsDB password, disclosing various nonpublic user information
Closed, ResolvedPublicSecurity
Actions

Description

I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid).

Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is 0a73e346a40b07262b6e36bdba01cba4, which has https://paws.wmflabs.org/paws/hub/oauth_callback as the callback; the current PAWS consumer sounds to use https://hub.paws.wmcloud.org/hub/oauth_callback instead).

That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki. EDIT: /data/project/paws/Tbayer has the consumer secret as well.

SQL password (and some other secrets) is available in /data/project/paws/hub-rc.

Details

Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

Urbanecm created this task.Aug 18 2021, 5:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 18 2021, 5:05 PM
Urbanecm added a project: PAWS.Aug 18 2021, 5:05 PM
Urbanecm added a project: cloud-services-team.
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptAug 18 2021, 5:05 PM
Urbanecm updated the task description. (Show Details)Aug 18 2021, 5:07 PM
Urbanecm added a comment.Aug 18 2021, 5:10 PM

I've disabled the oauth consumer (0a73e346a40b07262b6e36bdba01cba4), to make it impossible to auth any requests via leaked information.

Urbanecm updated the task description. (Show Details)Aug 18 2021, 5:11 PM
Bstorm added a subscriber: Bstorm.Aug 18 2021, 5:20 PM

Looks like that's a really old file from when PAWS was inside Toolforge. I've set the file to read-only and will change the database password.

Bstorm added a comment.Aug 18 2021, 5:20 PM

I've also set up a separate database for PAWS that this is probably time to switch it for.

Bstorm claimed this task.Aug 18 2021, 5:21 PM
Bstorm added a comment.Aug 18 2021, 5:27 PM

I set all files in the Toolforge version of /data/project/paws to be user and group read only just so that's done.

Bstorm added a comment.Aug 18 2021, 6:29 PM

Working on completing T267683, which already uses a different password, in order to make rotating the password for toolsdb simpler.

Bstorm added a comment.Aug 18 2021, 7:11 PM

PAWS is now running on a separate Trove database (committing the change to git shortly), and I have rotated the credentials for ToolsDB (which it will no longer be using anyway).

Bstorm added a comment.Aug 18 2021, 7:23 PM

The PR is https://github.com/toolforge/paws/pull/82, but it's already deployed. I think that closes this up.

Bstorm closed this task as Resolved.Aug 18 2021, 7:23 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Aug 18 2021, 7:43 PM
sbassett added a subscriber: sbassett.

@Urbanecm @Bstorm - Can I (or anyone really) make this task public now? I didn't see any problematic data in the task description or comments.

Bstorm mentioned this in rPAWS2303c6921a4e: hub database: move from ToolsDB to Trove.Aug 18 2021, 7:47 PM
Bstorm added a comment.Aug 18 2021, 8:08 PM

I have no objection, but I am interested if @Urbanecm agrees I covered everything that needs doing first.

Bstorm added a subscriber: Chicocvenancio.Aug 18 2021, 8:12 PM
Urbanecm added a comment.Aug 18 2021, 8:42 PM
In T289180#7293008, @Bstorm wrote:

I have no objection, but I am interested if @Urbanecm agrees I covered everything that needs doing first.

Was the (now defunct) ToolsDB database dropped as well? I think that should be done as well. If I didn't miss anything, the credentials should be void by now, but I still feel like keeping unnecessary credentials around is a bad thing.

Thanks for fixing this quickly @Bstorm.

Bstorm added a comment.Aug 18 2021, 8:43 PM

No, but I can drop the tables now.

Bstorm added a comment.Aug 18 2021, 8:51 PM

Database is dropped.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 18 2021, 10:35 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Thanks! I've published the task.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL