Page MenuHomePhabricator

Infoleak on https://wiki.wikimedia.it due to CVE-2021-44858 and Lockdown
Closed, ResolvedPublicSecurity

Description

Some pages on this wiki are protected from being read with Lockdown. E.g. https://wiki.wikimedia.it/index.php?oldid=9999 shows a permission error however you can access the information at https://wiki.wikimedia.it/wiki/Pagina_principale?action=edit&undo=1202941&undoafter=9999. The temporary workaround here: https://www.mediawiki.org/wiki/2021-12_security_release/FAQ should be used until the wiki is upgraded (T268515).


Even if T273607 suggests that secrets/password are/were stored on the wiki, this is not considered an high problem anymore, since those legacy pages has been deleted since months.

Note that the risk is not high since this is not a corporate wiki with sensitive private information. The non-public information are non-public just for convenience, to keep internal discussions, stubs, and unnecessary-public-information away from being indexed and found by the general public (or something like that). Plus, members already can copy and share information with the public (the license encourages this - this probably doesn't happen because there's nothing interesting about it).

Related Objects

Event Timeline

The interesting part is that the wiki already has the suggested mitigation:

$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
$wgActions['rollback'] = false;
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];

@Nemo_bis what do you think about?

valerio.bozzolan updated the task description. (Show Details)

The interesting part is that the wiki already has the suggested mitigation:

$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
$wgActions['rollback'] = false;
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];

The mitigation addresses the infoleak via undoafter by setting wgWhitelistRead to nothing, which prevents you from accessing any actions in the first place. But this doesn't work in the case of a partially private wiki. Probably the only way to fix would be to patch MediaWiki itself. If the private information isn't that sensitive, then it may be easier to just wait until the wiki is upgraded?

I think we have done our homeworks during T268515: Upgrade wiki.wikimedia.it from 1.26.4 to latest LTS and T310681: Drop the Lockdown extension from wiki.wikimedia.it and this broken access control seems fixed from my perspective.

If you confirm as well, I would like to thank you, and mark this as resolved and remove the security policy to make this public.

ayyyy

Thank you @Dylsss for your nice security report!

Now it's time for gadgets. Please contact info@wikimedia.it to allow us to send you a nice gadget or some weird Italian food, to allow Wikimedia Italy to share a tangible thank you but also to have your keyboard more pizza-dirty, as we like.

In the e-mail please just tell us ship information, like:

  • a name
  • postal code
  • country
  • street address
  • house number

This information does not have to be your personal, it can be related to a public building around you in which you can pick up a package, or a friend, etc.

In the email, please just write also a random hash, and repeat that hash here in the comments, so WMIT can match you.

Some related information:

https://meta.wikimedia.org/wiki/Wikimedia_Italia/Reporting_security_bugs

By the way, feel free to publish this Task if you are able to confirm its resolution, or just share further notes. WMIT will thank you in both cases.

@valerio.bozzolan In the sense of making this public? Edit Task > Visible To / Editable By (but not sure if you have rights)

Aklapper changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2022, 10:26 AM
Aklapper changed the edit policy from "Custom Policy" to "All Users".

Done :)