Page MenuHomePhabricator
Create Task
Maniphest T292763

CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis
Closed, ResolvedPublicSecurity
Actions

Description

Go to https://office.wikimedia.org logged out and start typing "s" or "w" in the search bar, it will start autocompleting the query with a dropdown menu of page titles. This means unauthorized users could access potentially confidential data if that data is included in the page title.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Do not cache private wiki completion resultsmediawiki/coremaster+51 -7
Do not cache private wiki completion resultsmediawiki/coreREL1_35+43 -11
Do not cache private wiki completion resultsmediawiki/coreREL1_36+51 -7
Do not cache private wiki completion resultsmediawiki/coreREL1_37+51 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dylsss created this task.Oct 7 2021, 4:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2021, 4:58 PM
Dylsss added projects: Vector (legacy skin), Desktop Improvements (Vector 2022).Oct 7 2021, 5:19 PM
Dylsss updated the task description. (Show Details)
Reedy triaged this task as High priority.EditedOct 7 2021, 5:23 PM
Reedy added projects: MediaWiki-REST-API, Platform Engineering, SRE.
Reedy added a subscriber: Reedy.

Thanks for the report!

I don't think this is really a new vector bug, beyond it being the one exposing it. It looks like it may be a caching issue, not necessarily specifically a MediaWiki-REST-API bug, though it could be the REST API setting/sending incorrect cache headers.

If I visit https://office.wikimedia.org/w/rest.php/v1/search/title?q=test&limit=10 I get {"error":"rest-read-denied","httpCode":403,"httpReason":"Forbidden"} which looks right.

Whereas a search for some letters is very likely cached, and just served to anyone?

nnikkhoui added a project: API Platform.Oct 7 2021, 8:03 PM
nnikkhoui claimed this task.Oct 7 2021, 8:05 PM
Aklapper added a project: Vuln-Infoleak.Oct 8 2021, 10:50 AM
sbassett added a subscriber: sbassett.EditedOct 8 2021, 4:09 PM

Config seems fine:
https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/InitialiseSettings.php#L15169-L15172

$ mwscript shell.php --wiki=officewiki
...
>>> var_dump( $wgEnableMWSuggest );
>>> bool(false)

This isn't great, but I'm not sure it would be much more than a low risk right now. Just trying out various search strings like "password", "budget", "user", etc, I'm not seeing any serious information disclosure, at least not for officewiki. If there are any specific search strings that result in serious privacy leaks, please let us know either on this task or by disclosing them directly to the Security-Team.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Oct 8 2021, 4:11 PM
sbassett changed Risk Rating from N/A to Low.
nnikkhoui moved this task from Incoming to Backlog on the API Platform board.Oct 12 2021, 6:14 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Oct 13 2021, 6:34 PM
sbassett added a project: SecTeam-Processed.
nnikkhoui moved this task from Backlog to QA/Review on the API Platform board.Oct 19 2021, 5:45 PM
Jdforrester-WMF added a project: MW-1.38-notes (1.38.0-wmf.6; 2021-10-26).Oct 20 2021, 7:29 PM
nnikkhoui moved this task from QA/Review to Should do next on the API Platform board.Oct 20 2021, 7:55 PM
Legoktm added a subscriber: Legoktm.Oct 21 2021, 1:23 AM

@nnikkhoui why was this patched publicly rather than handled as a security bug? AFAICT (I skimmed very quickly) released versions of MediaWiki are also vulnerable to this kind of cache poisoning/leak.

nnikkhoui added a comment.EditedOct 21 2021, 12:21 PM

@Legoktm oh yikes, it wasn't handled as a security bug for the sole reason that this was my first one and had not realized there was a specific way to handle those in Gerrit (I actually do recall @Pchelolo mentioned something but it slipped my mind before i uploaded -_-) will educate myself on how for future security bugs.
I think you are right, basically anything that uses that search endpoint (which i think(?) is just new Vector with the vue.js search widget)

nnikkhoui added a subscriber: Pchelolo.Oct 21 2021, 12:23 PM
sbassett added a parent task: T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Oct 22 2021, 7:34 PM
sbassett mentioned this in T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.
Jdforrester-WMF added projects: MW-1.35-notes, MW-1.36-notes, MW-1.37-notes.Oct 25 2021, 4:01 PM
daniel closed this task as Resolved.Nov 11 2021, 11:44 AM
daniel added a subscriber: daniel.

Looks like this is fixed

sbassett added a comment.Nov 12 2021, 9:22 PM
In T292763#7498439, @daniel wrote:

Looks like this is fixed

Yes. This might get a mention within the next security release (it's tracked on the bug) but everything else has already been fixed and disclosed via gerrit, so no need to keep this task private.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 12 2021, 9:23 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Reedy renamed this task from Private wikis with new vector return autocomplete search results to Rest API incorrectly publicly caches results from private wikis.Dec 10 2021, 5:58 PM
Reedy added a subscriber: gerritbot.Dec 13 2021, 9:40 PM
Reedy renamed this task from Rest API incorrectly publicly caches results from private wikis to CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis.Dec 15 2021, 7:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL