Page MenuHomePhabricator

CVE-2022-41344: PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction
Closed, ResolvedPublicSecurity

Description

Steps to reproduce

  • create a test account on enwiki
  • use an admin account to assign it to the following user group: New Page Patroller (patroller)
  • log into the patroller account
  • create an article
  • refresh the page. note how the PageTriage toolbar pops up, but a bunch of icons such as "mark as reviewed" are missing. this is good. this means PageTriage's front end is correctly detecting that you are the author and you should not be able to mark your own article as reviewed.
  • now go to Special:ApiSandbox and try to mark the page as reviewed using pagetriageaction. set the pageid and set reviewed=1.
  • click "make request"

What should happen

  • should get an error

What actually happens

  • page is marked as reviewed. the back end is missing the needed permissions checking code.

Why is this a big deal?

  • If undisclosed paid editors figure this out, and have access to an account with the patrol user group, they will be able to mark their own articles as reviewed, basically getting autopatrolled without applying for it. There are many cases of undisclosed paid editors spending months to infiltrate enwiki to obtain these kinds of perms. It is lucrative for them to have their articles skip the patrol process and get indexed on google immediately.

The fix

2022-07-31_033046.png (931×1 px, 266 KB)

2022-07-31_033259.png (846×1 px, 88 KB)

2022-07-31_034731.png (584×1 px, 90 KB)

Event Timeline

Should be fairly straight forward.

Should we add the message markedaspatrollederror-noautopatrol to i18n/en.json and i18n/qqq.json?

Should we add the message markedaspatrollederror-noautopatrol to i18n/en.json and i18n/qqq.json?

It does already exist: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/c1796065620733ebecb3ecdec245740d64e17203/languages/i18n/en.json#3328

Ah excellent. I was looking in PageTriage instead of core. Good idea to recycle the "patrol" message in core.

mmartorana changed the task status from Open to In Progress.Aug 4 2022, 3:49 PM
mmartorana triaged this task as Low priority.
mmartorana changed Risk Rating from N/A to Low.

Should be fairly straight forward.

+1 untested. Patch makes sense. This could likely go out during today's security deployment window, though technically I'm "not working" today, so maybe next Monday, the 15th? Unless someone else would like to stage it on an mwdebug and then deploy it today.

This patch from T314245#8120985 has been deployed: 19:59 maryum: deployed security patch for T314245

No issues were found in the logs after deploy.

I see this is deployed, thank you very much.

Did this get merged to the master branch? Are we supposed to wait for security reasons, or can we move forward with merging to master?

Did this get merged to the master branch? Are we supposed to wait for security reasons, or can we move forward with merging to master?

Since this is for ext:PageTriage, which is not bundled, it wouldn't be a part of the regular mediawiki security release, but rather the supplemental release. For the supplemental release, we do not typically have hard and fast rules about when a security patch can be backported once it has been deployed to Wikimedia production. If the patch hasn't been backported by the time we are prepping the supplemental release, the Security-Team will typically make the bug public and backport it at that time. But if there is interest in starting on those backports a bit sooner, we can make the bug public and the patch can be pushed up to gerrit, and then "re-announced" via the supplemental release.

This is my first security patch so just wondering how the system works. I do have some patches I plan to work on that touch similar areas of the code but I won't have time to work on them for about a month.

What were you guys thinking for date?

This is my first security patch so just wondering how the system works. I do have some patches I plan to work on that touch similar areas of the code but I won't have time to work on them for about a month.

No problem and sounds good about the additional security patches. Feel free to reach out to the Security-Team if you have any additional questions.

What were you guys thinking for date?

The next supplemental security release (tracked at T311785) will likely be released on Tuesday, October 4th, 2022. Typically, the regular MediaWiki security release and the supplemental release come out around the end of each quarter.

sbassett renamed this task from PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction to CVE-2022-41344: PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction.Oct 4 2022, 5:30 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".

Change 838204 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/PageTriage@master] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838204

Change 838204 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@master] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838204

Change 838215 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_39] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838215

Change 838216 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_38] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838216

Change 838217 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_37] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838217

Change 838218 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/PageTriage@REL1_35] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838218

Change 838215 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_39] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838215

Change 838216 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_38] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838216

Change 838217 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_37] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838217

Change 838218 merged by jenkins-bot:

[mediawiki/extensions/PageTriage@REL1_35] SECURITY: check for autopatrol when marking own articles as reviewed

https://gerrit.wikimedia.org/r/838218

sbassett assigned this task to Zabe.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.