Page MenuHomePhabricator
Create Task
Maniphest T326867

CVE-2024-40598: CheckUser API can expose suppressed information for log events
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Description

Splitting from T318166. Not setting as a security ticket as the cat is out of the bag.

Log actions stored by CheckUser that are in the logging table (and thus can be suppressed) are not hidden as CheckUser does not store the log ID so that it can look up the revision deletion status. This means that checkusers who do not have the oversight permissions can access oversighted logs.

To do this CheckUser needs to store any associated log ID. This will be done in T324907. Once this has been achieved this can be fixed.

Details

SubjectRepoBranchLines +/-
Apply log_deleted to entries in CheckUser API 'actions' typemediawiki/extensions/CheckUsermaster+104 -49
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedBUG REPORTDreamy_JazzT326867 CVE-2024-40598: CheckUser API can expose suppressed information for log events
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Jan 12 2023, 9:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2023, 9:08 PM
Dreamy_Jazz mentioned this in T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Jan 12 2023, 9:11 PM
Dreamy_Jazz added a project: Vuln-Infoleak.Jan 12 2023, 9:13 PM
Dreamy_Jazz added a subtask: T253796: Make CheckUser record the log_id of logged actions.Jan 12 2023, 9:34 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 17 2023, 5:15 PM
Aklapper added a project: CheckUser.Jan 18 2023, 4:18 PM
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 23 2023, 6:14 PM
Dreamy_Jazz triaged this task as Medium priority.Jan 28 2023, 5:45 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
gerritbot added a comment.Apr 5 2024, 2:19 PM

Change #1017294 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Apply log_deleted to entries in CheckUser API 'actions' type

https://gerrit.wikimedia.org/r/1017294

gerritbot added a project: Patch-For-Review.Apr 5 2024, 2:19 PM
Dreamy_Jazz claimed this task.Apr 5 2024, 2:20 PM
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)).
Dreamy_Jazz set the point value for this task to 2.
Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.
gerritbot added a comment.Apr 9 2024, 7:43 PM

Change #1017294 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Apply log_deleted to entries in CheckUser API 'actions' type

https://gerrit.wikimedia.org/r/1017294

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 9 2024, 9:17 PM

For QA I would suggest suppressing a variety of information about log events and see if the information for these log events still displays in the CheckUser API.

dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 10 2024, 10:49 AM
dom_walden subscribed.

I hid all the entries in logging, revision and archive tables and did an ApiQueryCheckUser on all users and IPs in cu_changes. I then searched the API responses for any usernames in the actor table.

I could only find them if they were for entries in cu_private_event, which cannot be hidden.

Test environment: local docker CheckUser 2.5 (eda557a) 19:43, 9 April 2024.

Dreamy_Jazz closed this task as Resolved.Apr 10 2024, 1:26 PM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 10 2024, 1:35 PM
sbassett removed a project: Patch-For-Review.
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Apr 10 2024, 1:41 PM
Dreamy_Jazz mentioned this in T326865: CVE-2024-40597: Special:CheckUser can expose suppressed information for log events.Apr 15 2024, 5:49 PM
mmartorana renamed this task from CheckUser API can expose suppressed information for log events to CVE-2024-40598: CheckUser API can expose suppressed information for log events.Jul 8 2024, 5:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits