Using ?action=rollback&from={{:private page}}, users can access private wiki contents, this is because the from parameter is parsed as full wikitext and transcludes the private page. Very similar to T297322, but it is a different component and exploited in a different way so creating as a new task, this is not exploitable on Wikimedia wikis because $wgWhitelistRead is disabled.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Reedy | T292226 Release MediaWiki 1.35.5/1.36.3/1.37.1 | |||
Resolved | Reedy | T292227 Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1 | |||
Restricted Task | |||||
Resolved | Security | Legoktm | T297574 CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action |
Event Timeline
This is a regression from 0a840327110951c64eac4b50a192a9b1d80e468b (1.33+) in which show() was overridden, so the check to checkCanExecute() was lost. This was kind of noticed in dda5355c0ee804c94ff371a8a16c4a2a8e4436bd but the permissions realization wasn't recognized.
Note that this isn't a full permissions bypass because it does get checked later by RollbackPage.
The lack of escaping on the from parameter is an instance of {T157426}. wfEscapeWikitext() is one fix, but really we should be able to get the username out of the database instead of relying on user-supplied text.
@Dylsss I'm curious how you're finding these issues - are you just going through each endpoint and looking at possible vulnerable parameters? Or do you have some tool to help with finding them?
Same patch as above, but with CVE ID in commit message. Applies to all supported branches, but needs -3 on REL1_35 and REL1_36.
Change 747572 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_35] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747579 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_36] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747586 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_37] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747597 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@master] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747572 merged by jenkins-bot:
[mediawiki/core@REL1_35] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747586 merged by jenkins-bot:
[mediawiki/core@REL1_37] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747579 merged by jenkins-bot:
[mediawiki/core@REL1_36] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Change 747597 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Hi @Dylsss I'd be happy to set up a call or some other type of meeting at your convenience if that is something you'd be interested in sharing. Either way, thank you for everything you do!
I discussed this shortly with @Legoktm on IRC. But I am just going through different MediaWiki components and extensions and learning how they work, what parameters they accept and how they are used, etc. It's nothing special really, and I am not using any specific tool to find them.