Page MenuHomePhabricator
Create Task
Maniphest T314245

CVE-2022-41344: PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction
Closed, ResolvedPublicSecurity
Actions

Assigned To
Zabe
Authored By
Novem_Linguae
Jul 31 2022, 10:41 AM
Tags
Referenced Files
F35378201: 0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch
Aug 1 2022, 8:03 PM
F35366068: 2022-07-31_034731.png
Jul 31 2022, 10:48 AM
F35366065: 2022-07-31_033259.png
Jul 31 2022, 10:48 AM
F35366062: 2022-07-31_033046.png
Jul 31 2022, 10:48 AM
Subscribers
Aklapper
Mstyles
Novem_Linguae
RhinosF1
sbassett
TheresNoTime
Zabe

Description

Steps to reproduce

  • create a test account on enwiki
  • use an admin account to assign it to the following user group: New Page Patroller (patroller)
  • log into the patroller account
  • create an article
  • refresh the page. note how the PageTriage toolbar pops up, but a bunch of icons such as "mark as reviewed" are missing. this is good. this means PageTriage's front end is correctly detecting that you are the author and you should not be able to mark your own article as reviewed.
  • now go to Special:ApiSandbox and try to mark the page as reviewed using pagetriageaction. set the pageid and set reviewed=1.
  • click "make request"

What should happen

  • should get an error

What actually happens

  • page is marked as reviewed. the back end is missing the needed permissions checking code.

Why is this a big deal?

  • If undisclosed paid editors figure this out, and have access to an account with the patrol user group, they will be able to mark their own articles as reviewed, basically getting autopatrolled without applying for it. There are many cases of undisclosed paid editors spending months to infiltrate enwiki to obtain these kinds of perms. It is lucrative for them to have their articles skip the patrol process and get indexed on google immediately.

The fix

2022-07-31_033046.png (931×1 px, 266 KB)

2022-07-31_033259.png (846×1 px, 88 KB)

2022-07-31_034731.png (584×1 px, 90 KB)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: check for autopatrol when marking own articles as reviewedmediawiki/extensions/PageTriageREL1_35+11 -0
SECURITY: check for autopatrol when marking own articles as reviewedmediawiki/extensions/PageTriageREL1_37+11 -0
SECURITY: check for autopatrol when marking own articles as reviewedmediawiki/extensions/PageTriageREL1_38+11 -0
SECURITY: check for autopatrol when marking own articles as reviewedmediawiki/extensions/PageTriageREL1_39+11 -0
SECURITY: check for autopatrol when marking own articles as reviewedmediawiki/extensions/PageTriagemaster+11 -0
Customize query in gerrit

Related Objects

Event Timeline

Novem_Linguae created this task.Jul 31 2022, 10:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2022, 10:41 AM
Novem_Linguae updated the task description. (Show Details)Jul 31 2022, 10:48 AM
Reedy added projects: PageTriage, Vuln-MissingAuthz.Jul 31 2022, 1:34 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptJul 31 2022, 1:34 PM
Zabe subscribed.Jul 31 2022, 2:30 PM
Zabe added a comment.Aug 1 2022, 8:03 PM

Should be fairly straight forward.

0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch1 KBDownload

Novem_Linguae added a comment.Aug 1 2022, 9:23 PM

Should we add the message markedaspatrollederror-noautopatrol to i18n/en.json and i18n/qqq.json?

Zabe added a comment.Aug 1 2022, 9:27 PM
In T314245#8121567, @Novem_Linguae wrote:

Should we add the message markedaspatrollederror-noautopatrol to i18n/en.json and i18n/qqq.json?

It does already exist: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/c1796065620733ebecb3ecdec245740d64e17203/languages/i18n/en.json#3328

Novem_Linguae added a comment.Aug 1 2022, 9:29 PM

Ah excellent. I was looking in PageTriage instead of core. Good idea to recycle the "patrol" message in core.

Tgr moved this task from Inbox to Triaged on the Growth-Team board.Aug 3 2022, 7:46 PM
mmartorana changed the task status from Open to In Progress.Aug 4 2022, 3:49 PM
mmartorana triaged this task as Low priority.
mmartorana changed Risk Rating from N/A to Low.
Novem_Linguae moved this task from Backlog to Code Review on the PageTriage board.Aug 5 2022, 12:54 AM
sbassett subscribed.Aug 8 2022, 3:07 PM
In T314245#8120985, @Zabe wrote:

Should be fairly straight forward.

0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch1 KBDownload

+1 untested. Patch makes sense. This could likely go out during today's security deployment window, though technically I'm "not working" today, so maybe next Monday, the 15th? Unless someone else would like to stage it on an mwdebug and then deploy it today.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Aug 15 2022, 5:43 PM
Mstyles subscribed.Sep 12 2022, 9:34 PM

This patch from T314245#8120985 has been deployed: 19:59 maryum: deployed security patch for T314245

No issues were found in the logs after deploy.

Mstyles mentioned this in T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).Sep 12 2022, 9:36 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Sep 13 2022, 3:30 PM
sbassett added a subscriber: RhinosF1.Sep 19 2022, 6:24 PM
Novem_Linguae added a comment.Sep 22 2022, 2:48 AM

I see this is deployed, thank you very much.

Did this get merged to the master branch? Are we supposed to wait for security reasons, or can we move forward with merging to master?

sbassett added a comment.Sep 22 2022, 3:01 AM
In T314245#8252258, @Novem_Linguae wrote:

Did this get merged to the master branch? Are we supposed to wait for security reasons, or can we move forward with merging to master?

Since this is for ext:PageTriage, which is not bundled, it wouldn't be a part of the regular mediawiki security release, but rather the supplemental release. For the supplemental release, we do not typically have hard and fast rules about when a security patch can be backported once it has been deployed to Wikimedia production. If the patch hasn't been backported by the time we are prepping the supplemental release, the Security-Team will typically make the bug public and backport it at that time. But if there is interest in starting on those backports a bit sooner, we can make the bug public and the patch can be pushed up to gerrit, and then "re-announced" via the supplemental release.

Novem_Linguae added a comment.Sep 22 2022, 3:24 AM

This is my first security patch so just wondering how the system works. I do have some patches I plan to work on that touch similar areas of the code but I won't have time to work on them for about a month.

What were you guys thinking for date?

sbassett added a comment.Sep 22 2022, 3:21 PM
In T314245#8252266, @Novem_Linguae wrote:

This is my first security patch so just wondering how the system works. I do have some patches I plan to work on that touch similar areas of the code but I won't have time to work on them for about a month.

No problem and sounds good about the additional security patches. Feel free to reach out to the Security-Team if you have any additional questions.

What were you guys thinking for date?

The next supplemental security release (tracked at T311785) will likely be released on Tuesday, October 4th, 2022. Typically, the regular MediaWiki security release and the supplemental release come out around the end of each quarter.

sbassett renamed this task from PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction to CVE-2022-41344: PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction.Oct 4 2022, 5:30 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Oct 4 2022, 5:32 PM

Change 838204 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/PageTriage@master] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838204

gerritbot added a project: Patch-For-Review.Oct 4 2022, 5:32 PM
gerritbot added a comment.Oct 5 2022, 8:19 AM

Change 838204 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@master] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838204

Maintenance_bot removed a project: Patch-For-Review.Oct 5 2022, 8:31 AM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.5; 2022-10-10).Oct 5 2022, 9:00 AM
gerritbot added a comment.Oct 5 2022, 10:17 AM

Change 838215 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_39] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838215

gerritbot added a project: Patch-For-Review.Oct 5 2022, 10:17 AM

Change 838216 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_38] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838216

gerritbot added a comment.Oct 5 2022, 10:19 AM

Change 838217 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_37] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838217

gerritbot added a comment.Oct 5 2022, 10:19 AM

Change 838218 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_35] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838218

gerritbot added a comment.Oct 5 2022, 10:57 AM

Change 838215 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_39] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838215

gerritbot added a comment.Oct 5 2022, 1:49 PM

Change 838216 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_38] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838216

gerritbot added a comment.Oct 5 2022, 1:54 PM

Change 838217 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_37] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838217

gerritbot added a comment.Oct 5 2022, 2:10 PM

Change 838218 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_35] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838218

Maintenance_bot removed a project: Patch-For-Review.Oct 5 2022, 2:32 PM
sbassett closed this task as Resolved.Oct 5 2022, 3:17 PM
sbassett assigned this task to Zabe.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
MPGuy2824 mentioned this in T234071: After requeueing a page, define behaviour for creator [medium].Oct 22 2022, 12:07 PM
MPGuy2824 moved this task from Code Review to Done on the PageTriage board.Oct 28 2022, 3:28 AM
MPGuy2824 mentioned this in T234681: Define behaviour for page creator.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits