Page MenuHomePhabricator
Create Task
Maniphest T306587

Infoleak on https://wiki.wikimedia.it due to CVE-2021-44858 and Lockdown
Closed, ResolvedPublicSecurity
Actions

Description

Some pages on this wiki are protected from being read with Lockdown. E.g. https://wiki.wikimedia.it/index.php?oldid=9999 shows a permission error however you can access the information at https://wiki.wikimedia.it/wiki/Pagina_principale?action=edit&undo=1202941&undoafter=9999. The temporary workaround here: https://www.mediawiki.org/wiki/2021-12_security_release/FAQ should be used until the wiki is upgraded (T268515).

Even if T273607 suggests that secrets/password are/were stored on the wiki, this is not considered an high problem anymore, since those legacy pages has been deleted since months.

Note that the risk is not high since this is not a corporate wiki with sensitive private information. The non-public information are non-public just for convenience, to keep internal discussions, stubs, and unnecessary-public-information away from being indexed and found by the general public (or something like that). Plus, members already can copy and share information with the public (the license encourages this - this probably doesn't happen because there's nothing interesting about it).

Related Objects
Search...

Event Timeline

Dylsss created this task.Apr 21 2022, 2:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2022, 2:21 AM
Dylsss added a project: WMIT-Infrastructure.Apr 21 2022, 2:27 AM
Dylsss added a subscriber: valerio.bozzolan.
valerio.bozzolan added a subscriber: Nemo_bis.Apr 21 2022, 8:28 AM

The interesting part is that the wiki already has the suggested mitigation:

$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
$wgActions['rollback'] = false;
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];

@Nemo_bis what do you think about?

valerio.bozzolan triaged this task as Medium priority.Apr 21 2022, 8:45 AM
valerio.bozzolan updated the task description. (Show Details)
sbassett edited projects, added MediaWiki-extensions-Lockdown, SecTeam-Processed; removed Security-Team.Apr 21 2022, 3:59 PM
Dylsss added a comment.May 6 2022, 11:35 AM
In T306587#7870549, @valerio.bozzolan wrote:

The interesting part is that the wiki already has the suggested mitigation:

$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
$wgActions['rollback'] = false;
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];

The mitigation addresses the infoleak via undoafter by setting wgWhitelistRead to nothing, which prevents you from accessing any actions in the first place. But this doesn't work in the case of a partially private wiki. Probably the only way to fix would be to patch MediaWiki itself. If the private information isn't that sensitive, then it may be easier to just wait until the wiki is upgraded?

valerio.bozzolan added a subscriber: CVimercati-WMIT.May 17 2022, 7:33 PM
valerio.bozzolan moved this task from Backlog to 🌻 MediaWiki-related on the WMIT-Infrastructure board.Jul 23 2022, 9:25 AM
valerio.bozzolan mentioned this in T310607: Try to migrate and upgrade wiki.wikimedia.it on server intreccio.Jul 23 2022, 10:01 AM
valerio.bozzolan claimed this task.Aug 18 2022, 9:50 AM

I think we have done our homeworks during T268515: Upgrade wiki.wikimedia.it from 1.26.4 to latest LTS and T310681: Drop the Lockdown extension from wiki.wikimedia.it and this broken access control seems fixed from my perspective.

If you confirm as well, I would like to thank you, and mark this as resolved and remove the security policy to make this public.

ayyyy

valerio.bozzolan closed this task as Resolved.Aug 18 2022, 10:30 AM

Thank you @Dylsss for your nice security report!

Now it's time for gadgets. Please contact info@wikimedia.it to allow us to send you a nice gadget or some weird Italian food, to allow Wikimedia Italy to share a tangible thank you but also to have your keyboard more pizza-dirty, as we like.

In the e-mail please just tell us ship information, like:

  • a name
  • postal code
  • country
  • street address
  • house number

This information does not have to be your personal, it can be related to a public building around you in which you can pick up a package, or a friend, etc.

In the email, please just write also a random hash, and repeat that hash here in the comments, so WMIT can match you.

Some related information:

https://meta.wikimedia.org/wiki/Wikimedia_Italia/Reporting_security_bugs

By the way, feel free to publish this Task if you are able to confirm its resolution, or just share further notes. WMIT will thank you in both cases.

valerio.bozzolan added a comment.Sep 20 2022, 9:35 AM

@Aklapper how to publish this? Thank you

valerio.bozzolan added subtasks: T310681: Drop the Lockdown extension from wiki.wikimedia.it, T273607: Avoid storing secrets or private contents (e.g. readable by Direttivo-only, readable by Ufficio-only) on wiki.wikimedia.it not to require complex ACLs .Sep 20 2022, 9:37 AM
valerio.bozzolan added a subtask: T268515: Upgrade wiki.wikimedia.it from 1.26.4 to latest LTS.Sep 20 2022, 9:40 AM
Aklapper added a comment.Sep 20 2022, 9:47 AM

@valerio.bozzolan In the sense of making this public? Edit Task > Visible To / Editable By (but not sure if you have rights)

valerio.bozzolan added a comment.Sep 20 2022, 9:48 AM

I do not have enough rights.

Aklapper changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2022, 10:26 AM
Aklapper changed the edit policy from "Custom Policy" to "All Users".

Done :)

valerio.bozzolan awarded a token.Sep 20 2022, 10:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits