Using ?action=rollback&from={{:private page}}, users can access private wiki contents, this is because the from parameter is parsed as full wikitext and transcludes the private page. Very similar to T297322, but it is a different component and exploited in a different way so creating as a new task, this is not exploitable on Wikimedia wikis because $wgWhitelistRead is disabled.
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T292226 Release MediaWiki 1.35.5/1.36.3/1.37.1 | |||
| Resolved | Reedy | T292227 Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1 | |||
| Restricted Task | |||||
| Resolved | Security | Legoktm | T297574 CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action |
Event Timeline
Comment Actions
This is a regression from 0a840327110951c64eac4b50a192a9b1d80e468b (1.33+) in which show() was overridden, so the check to checkCanExecute() was lost. This was kind of noticed in dda5355c0ee804c94ff371a8a16c4a2a8e4436bd but the permissions realization wasn't recognized.
Note that this isn't a full permissions bypass because it does get checked later by RollbackPage.
The lack of escaping on the from parameter is an instance of {T157426}. wfEscapeWikitext() is one fix, but really we should be able to get the username out of the database instead of relying on user-supplied text.
Comment Actions
@Dylsss I'm curious how you're finding these issues - are you just going through each endpoint and looking at possible vulnerable parameters? Or do you have some tool to help with finding them?
Comment Actions
Same patch as above, but with CVE ID in commit message. Applies to all supported branches, but needs -3 on REL1_35 and REL1_36.
Comment Actions
Change 747572 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_35] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747579 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_36] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747586 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@REL1_37] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747597 had a related patch set uploaded (by Reedy; author: Legoktm):
[mediawiki/core@master] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747572 merged by jenkins-bot:
[mediawiki/core@REL1_35] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747586 merged by jenkins-bot:
[mediawiki/core@REL1_37] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747579 merged by jenkins-bot:
[mediawiki/core@REL1_36] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Change 747597 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Fix permissions check in action=rollback (CVE-2021-45038)
Comment Actions
Hi @Dylsss I'd be happy to set up a call or some other type of meeting at your convenience if that is something you'd be interested in sharing. Either way, thank you for everything you do!
Comment Actions
I discussed this shortly with @Legoktm on IRC. But I am just going through different MediaWiki components and extensions and learning how they work, what parameters they accept and how they are used, etc. It's nothing special really, and I am not using any specific tool to find them.