Page MenuHomePhabricator

Publish FAQ for undo security bug
Closed, ResolvedPublicSecurity

Description

Draft FAQ for T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo . Split out of T292230: Write and send release announcements for MediaWiki 1.35.5/1.36.3/1.37.1. To be published at https://www.mediawiki.org/wiki/2021-12_security_release/FAQ

A series of vulnerabilities have been found in MediaWiki that allow an attacker to leak page contents from private wikis and bypass edit permissions. The main vector for this wiki-leak is using vulnerable actions on pages that are listed in {{wg|WhitelistPages}} and therefore publicly accessible. MediaWiki now only makes the "view" action publicly accessible on pages in {{wg|WhitelistPages}} by default. These issues are fixed in 1.35.5, 1.36.3, and 1.37.1.

== What are the issues? ==

* CVE-2021-44858: The "undo" feature (<code>action=edit&undo=##&undoafter=###</code>) allowed an attacker to view the contents of arbitrary revisions, regardless of whether they had permissions to do so. This was also found in the "mcrundo" and "mcrrestore" actions (<code>action=mcrundo</code> and <code>action=mcrrestore</code>).
* CVE-2021-45038: The "rollback" feature (<code>action=rollback</code>) could be passed a specially crafted parameter that allowed an attacker to view the contents of arbitrary pages, regardless of whether they had permissions to do so.
* CVE-2021-44857: The "mcrundo" and "mcrrestore" actions (<code>action=mcrundo</code> and <code>action=mcrrestore</code>) did not properly check for editing permissions, and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.

== I don't have time to patch, how do I disable this? ==
Add the following to your LocalSettings.php:
<syntaxhighlight lang="php">
$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
</syntaxhighlight>

If your wiki is private (requires login to view pages) you will '''also''' need to set:
<syntaxhighlight lang="php">
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];
</syntaxhighlight> 

It should fully disable the vulnerable code. These changes will also work for vulnerable end-of-life MediaWiki versions that do not have a patch available.

If you used {{wg|WhitelistRead}} to allow logged out users to see the main page with help text, you should instead move that help text to the [[MediaWiki:Loginreqpagetext]] message, which is shown on the "login required" error.

== Was I affected? == 
* If your wiki is public (anyone can read pages): yes
* If your wiki is private, and {{wg|WhitelistRead}} or {{wg|WhitelistReadRegexp}} has at least one page: yes

If you use an extension like [[Extension:Lockdown|Lockdown]] to make some pages unreadable to some users, you are also likely affected.

== What versions are vulnerable? ==
All MediaWiki versions since 1.23.0 are vulnerable to the private wiki read permissions bypasses (CVE-2021-44858, CVE-2021-45038).

All MediaWiki versions since 1.32.0 are vulnerable to the editing permissions bypass. (CVE-2021-44857).

== How is this being fixed long-term? ==
All actions except "view" now require an explicit "read" userright. This is similar to permission checks used in the Action and REST APIs. If further vulnerabilities are found in actions, they will at least not be exploitable by logged out users on private wikis.

Actions that need to be usable on {{wg|WhitelistRead}} pages can override the new <code>Action::needsReadRight()</code> function.

== How can I see if someone exploited it on my wiki? ==
Look for <code>action=mcrundo</code> or <code>action=mcrrestore</code> in your access logs. Unless you specifically enabled an extension that uses [[Multi-Content Revisions|multi-content revisions]], there is no legitimate use for these actions.

In addition, look for <code>action=edit&undo=###&undoafter=###</code> requests and check whether the revision ids belong to a different title than the page being edited.

For the rollback bug, look for <code>action=rollback&from=...</code> where the "from" parameter is a template transclusion (for example, <code>from={{:private page}}</code>).

This bug does not cause any data loss, so any write actions an attacker could have taken will be recorded in page history like all other edits.

== Credit ==
The issue was discovered by [https://phabricator.wikimedia.org/p/Dylsss/ Dylsss], many thanks to them for identifying and reporting the issue. If you find a bug in MediaWiki, please see the process for [[reporting security bugs]].

Event Timeline

Legoktm changed the task status from Open to In Progress.Dec 15 2021, 3:16 AM

I think this is ready to go whenever the release goes out.

Legoktm renamed this task from Draft FAQ for undo security bug to Publish FAQ for undo security bug.Dec 15 2021, 3:16 AM
Reedy triaged this task as High priority.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 15 2021, 7:41 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".