Page MenuHomePhabricator

CVE-2023-22945: action=growthmanagementorlist makes it possible for blocked users to enroll as mentors
Closed, ResolvedPublicSecurity

Description

Earlier today, the Growth team deployed structured mentor list to all Wikimedia wikis. This switched mentor list from a wikitext page to MediaWiki:GrowthMentors.json, edited by mentors (non-admins) via special pages and the action=growthmanagementorlist API.

While we did test how blocks interact with the new feature, we only tested the user interface, and not the API. Today, I noticed that while the special pages do ensure the user is not blocked, the API (action=growthmanagementorlist) does not. This means blocked users are able to enroll as mentors via action=growthmanagementorlist, or to edit any of their mentorship-related properties.

Successfully reproduced at test.wikipedia.org. I'll suppress the edits and block entries for security.

Event Timeline

Urbanecm_WMF triaged this task as Unbreak Now! priority.Oct 26 2022, 7:58 PM

This is a fairly serious vulnerability: blocked users (including long-term abusers) with at least 500 edits can become mentors and harm the mentorship system.

Hotfix patch:

+2 from me.

Urbanecm_WMF lowered the priority of this task from Unbreak Now! to High.Oct 26 2022, 8:48 PM

Deployed to production, lowering to High since this does not impact production anymore.

22:42 <urbanecm> !log Deploying security patch for T321733
22:42 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Sorry for missing this in code review.

As a follow-up, I think adding regression test (PHPUnit integration test) would be good.

Sorry for missing this in code review.

No worries!

As a follow-up, I think adding regression test (PHPUnit integration test) would be good.

Yes, for sure (as well as review other APIs for potential similar issues). I didn't want to clutter the security patch with a test, that can be done in Gerrit, once this task's public.

Change 857629 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Ensure user is not blocked in ApiManageMentorList

https://gerrit.wikimedia.org/r/857629

Backporting to Gerrit per T321799#8368556.

Change 857430 had a related patch set uploaded (by Urbanecm; author: Urbanecm):

[mediawiki/extensions/GrowthExperiments@REL1_39] SECURITY: Ensure user is not blocked in ApiManageMentorList

https://gerrit.wikimedia.org/r/857430

FTR, the affected feature is not actually a part of any release (1.39 is yet to be released) yet.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 16 2022, 2:18 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Change 857629 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Ensure user is not blocked in ApiManageMentorList

https://gerrit.wikimedia.org/r/857629

Change 857430 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_39] SECURITY: Ensure user is not blocked in ApiManageMentorList

https://gerrit.wikimedia.org/r/857430

Mstyles renamed this task from action=growthmanagementorlist makes it possible for blocked users to enroll as mentors to CVE-2023-22945: action=growthmanagementorlist makes it possible for blocked users to enroll as mentors.Jan 11 2023, 7:04 PM