CVE-2022-41346: Special:OAuth/rest_redirect does unrestricted redirects
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Tgr
	Jul 12 2022, 12:39 AM

Description

Special:OAuth/rest_redirect (apparently created to make the returnto / returntoquery mechanism used by login/signup able to target MediaWiki REST API endpoints) does unrestricted redirects.

Example: https://www.mediawiki.org/wiki/Special:OAuth/rest_redirect?rest_url=https:/evil.com/
Another example (which is fairly easy to exploit, just send the user to the login page and then have the redirect page replicate the login page with an apparent login error): https://mediawiki.org/wiki/Special:UserLogin?returnto=Special:OAuth/rest_redirect&returntoquery=rest_url%3Dhttps%3A%2F%2Fevil.com%2F

Instead of just calling wfExpandUrl() the code should validate that it received an URL with only a path component.

Details

Risk Rating: Medium
Author Affiliation: WMF Product

Project	Branch	Lines +/-	Subject
mediawiki/extensions/OAuth	REL1_39	+11 -7	SECURITY: Prevent open redirect in Special:OAuth/rest_redirect
mediawiki/extensions/OAuth	REL1_37	+11 -7	SECURITY: Prevent open redirect in Special:OAuth/rest_redirect
mediawiki/extensions/OAuth	REL1_38	+11 -7	SECURITY: Prevent open redirect in Special:OAuth/rest_redirect
mediawiki/extensions/OAuth	master	+11 -7	SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

Customize query in gerrit

Related Objects

Mentioned In: T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3)
Mentioned Here: T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3)

Event Timeline

Tgr created this task.Jul 12 2022, 12:39 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 12 2022, 12:39 AM

Tgr added projects: Vuln-OpenRedirect, MediaWiki-extensions-OAuth.Jul 12 2022, 12:39 AM

Good catch. I'd guess it would be fairly trivial to build allow lists to validate returnto and returntoquery. The question is which one should we use, since we have several ways of doing this that I'm aware of (1, 2, 3, 4, etc.)

In T312820#8072795, @sbassett wrote:

Good catch. I'd guess it would be fairly trivial to build allow lists to validate returnto and returntoquery. The question is which one should we use, since we have several ways of doing this that I'm aware of (1, 2, 3, 4, etc.)

I don't think Special:OAuth/rest_redirect needs cross-domain redirects at all, so it just needs to verify that the redirect URL is relative to the current domain (which it is for the redirects generated by OAuth itself). And maybe verify that the path component has the correct prefix for the OAuth REST API, although I don't think there's any harm in redirecting elsewhere - an attacker can already send the user's browser to an arbitrary Wikipedia page.

mmartorana changed the task status from Open to In Progress.Jul 21 2022, 5:51 PM

mmartorana triaged this task as Medium priority.

mmartorana changed Risk Rating from N/A to Medium.

Hi @Tgr - are you willing to write a patch for this issue?

0001-SECURITY-Prevent-open-redirect-in-Special-OAuth-rest.patch2 KBDownload

To test that the vulnerability is patched, visit <wiki>/wiki/Special:OAuth/rest_redirect?rest_url=https:/evil.com/
To test that the functionality still works, visit <wiki>/w/rest.php/oauth2/authorize?response_type=code&client_id=1 (which should redirect you back there after a login)

Tgr claimed this task.Sep 3 2022, 4:57 AM

Hi @Tgr - thank you for your patch.

I confirm the vulnerability is fixed.

I am uploading this new patch file because I had some issue applying your one (probably spaces).

T312820.patch2 KBDownload

Deployed @mmartorana's above patch to 1.40.0-wmf.1. Tested on mwdebug1002 under meta and it appears to work as intended. No issues in logstash. Now tracking at T276237 and T311785.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Sep 19 2022, 9:23 PM

sbassett added a subscriber: RhinosF1.

Mstyles renamed this task from Special:OAuth/rest_redirect does unrestricted redirects to CVE-2022-41346: Special:OAuth/rest_redirect does unrestricted redirects.Oct 5 2022, 11:34 PM

Mstyles closed this task as Resolved.Oct 5 2022, 11:40 PM

Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.

Mstyles added a subscriber: gerritbot.

Change 838938 had a related patch set uploaded (by Mstyles; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

https://gerrit.wikimedia.org/r/838938

gerritbot added a project: Patch-For-Review.Oct 5 2022, 11:44 PM

Change 838821 had a related patch set uploaded (by Mstyles; author: Gergő Tisza):

[mediawiki/extensions/OAuth@REL1_37] SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

https://gerrit.wikimedia.org/r/838821

Change 838822 had a related patch set uploaded (by Mstyles; author: Gergő Tisza):

[mediawiki/extensions/OAuth@REL1_38] SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

https://gerrit.wikimedia.org/r/838822

Change 838823 had a related patch set uploaded (by Mstyles; author: Gergő Tisza):

[mediawiki/extensions/OAuth@REL1_39] SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

https://gerrit.wikimedia.org/r/838823

Change 838938 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] SECURITY: Prevent open redirect in Special:OAuth/rest_redirect

https://gerrit.wikimedia.org/r/838938

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 6 2022, 4:32 PM

sbassett changed the edit policy from "Custom Policy" to "All Users".

Change 838822 merged by SBassett: