Page MenuHomePhabricator
Create Task
Maniphest T326952

CVE-2023-37253: ProofreadPage leaks suppressed user via the API and config variables
Closed, ResolvedPublicSecurity
Actions

Description

ProofreadPage does not suppress the name of the reviewer of a Page: namespace page, when accessed via the API (and via the config variables):

Proof of concept

  • Setup ProofreadPage locally
  • Create a new Page: namespace page
  • Create a new account and edit the Page: namespace page by setting the Page quality level
  • Create an edit on the edited page that does not reset the Page quality level
  • Block the account with Hide username from edits and lists box checked via an admin account
  • As a non-logged-in user, navigate to the Page: namespace page and mw.config.get( 'prpPageQualityUser' )
  • Note that the suppressed users username is visible
  • Use the API to return the most current revision of the page, the hidden users name will be visible as part of the returned wikitext.

Realized this while looking at T326940 :(

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Prevent hidden users from being exposed via public interfacesmediawiki/extensions/ProofreadPagemaster+46 -5
SECURITY: Prevent hidden users from being exposed via public interfacesmediawiki/extensions/ProofreadPageREL1_38+46 -5
SECURITY: Prevent hidden users from being exposed via public interfacesmediawiki/extensions/ProofreadPageREL1_40+46 -5
SECURITY: Prevent hidden users from being exposed via public interfacesmediawiki/extensions/ProofreadPageREL1_39+46 -5
Customize query in gerrit

Related Objects

Event Timeline

Soda created this task.Jan 13 2023, 12:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2023, 12:45 PM
Soda added a project: ProofreadPage.Jan 13 2023, 12:48 PM
Soda renamed this task from ProofreadPage leaks suppressed user via the API to ProofreadPage leaks suppressed user via the API and config variables.Jan 13 2023, 1:03 PM
Zabe added a subscriber: Tpt.Jan 13 2023, 1:36 PM
Soda added a comment.Jan 13 2023, 6:11 PM

0001-Prevent-hidden-users-from-being-exposed-via-public-i.patch2 KBDownload

Proposed patch

Legoktm added a project: Vuln-Infoleak.Jan 13 2023, 6:24 PM
mmartorana changed the task status from Open to In Progress.Jan 23 2023, 3:28 PM
mmartorana triaged this task as Medium priority.
mmartorana changed Risk Rating from N/A to Medium.
Soda added a comment.Jan 23 2023, 3:53 PM

@Tpt Can you take a look at the patch above :)

Tpt added a comment.EditedJan 23 2023, 4:35 PM

@Soda Thank you for reaching out with this problem and moving forward with it.

I am not sure to understand the task background. Displaying publicly the editors name/IPs seems to have been the policy from the beginning of Wikipedia. Do you have a good link?

If Wikimedia want to go the route 'if hidden the user name should be totaly hidden from everywhere and not recoverable', I got a few concerns:

  1. This is not removing the user id from the revision content but just from some API outputs and the UI. For examples, dumps won't be changed. Changing that would require more mork.
  2. We need to also cover the diff output (Page\PageSlotDiffRenderer).
  3. A maybe easier way to make sure the user name is removed from anywhere but past revisions is to just give null as the user when building the PageLevel object (in PageContentHandler and EditPagePage) if the user is hidden.

Also, I am not sure this is a security issue. It seem seems more like a subtask of T326940.

sbassett subscribed.Jan 23 2023, 10:32 PM

@Tpt - it looks like @Soda's proposed patch is not displaying suppressed usernames (via if ( $user->isHidden() ) checks). This should be correct as suppressed usernames should never be displayed to users on Wikimedia projects unless they are oversighters or otherwise have hideuser rights. Changing existing public dumps is difficult if not impossible, but the good news is that they should be overwritten in days or weeks. If there are more places where we should be checking for suppressed usernames within ext:ProofreadPage, then the patch should be amended to include those. This isn't really a subtask of T326940 as this, again, is only concerning suppressed usernames, which should never include anon IP-based usernames.

Soda added a comment.Jan 24 2023, 1:26 PM
In T326952#8549816, @Tpt wrote:

@Soda Thank you for reaching out with this problem and moving forward with it.

I am not sure to understand the task background. Displaying publicly the editors name/IPs seems to have been the policy from the beginning of Wikipedia. Do you have a good link?

If Wikimedia want to go the route 'if hidden the user name should be totaly hidden from everywhere and not recoverable', I got a few concerns:

  1. This is not removing the user id from the revision content but just from some API outputs and the UI. For examples, dumps won't be changed. Changing that would require more mork.
  2. We need to also cover the diff output (Page\PageSlotDiffRenderer).
  3. A maybe easier way to make sure the user name is removed from anywhere but past revisions is to just give null as the user when building the PageLevel object (in PageContentHandler and EditPagePage) if the user is hidden.

Also, I am not sure this is a security issue. It seem seems more like a subtask of T326940.

This is specifically about overighted/suppressed usernames that shouldn't be shown to anyone except oversighters/anyone with the hideuser permission (the on-wiki policy document would be https://meta.wikimedia.org/wiki/Oversight_policy).

Wrt to the patch itself, I assumed that if a Oversighter wanted to check if the name of the person who set the PageLevel, they could use a combinations of the Edit tags and unhide revisions functionality to view the username of the person who had set the Page status.

  1. We need to also cover the diff output (Page\PageSlotDiffRenderer).

I don't think we reveal the user via that method, we only show the changed PageLevel status in a diff.

  1. A maybe easier way to make sure the user name is removed from anywhere but past revisions is to just give null as the user when building the PageLevel object (in PageContentHandler and EditPagePage) if the user is hidden.

I did try a variation of this, but it appears that whenever the next edit is made (after the reviewing editor has been supressed), we end up assigning the user that most recently edited the page as the reviewer of the Page: namespace page which I feel would be somewhat unexpected and counterintuitive for individual users (since they will not be informed on this).

mmartorana moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Mar 14 2023, 3:11 PM
mmartorana subscribed.

Hello - we plan to deploy this patch in the upcoming deployment window.

sbassett added a comment.Mar 14 2023, 3:25 PM

As of today, the patch from T326952#8524394 still applies to master/main. And while it might not be a complete solution per feedback at T326952#8549816, it gets us to a much better place than where we're at now, and follow-up patches can be worked upon while at least part of the immediate issue is mitigated within Wikimedia production.

Mstyles subscribed.Mar 27 2023, 10:01 PM
In T326952#8524394, @Soda wrote:

0001-Prevent-hidden-users-from-being-exposed-via-public-i.patch2 KBDownload

Proposed patch

Deployed

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Apr 3 2023, 4:15 PM
Soda added a subscriber: Samwilson.Apr 6 2023, 11:43 AM

Adding @Samwilson who also works on ProofreadPage

sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).May 15 2023, 8:27 PM
Mstyles added a subscriber: gerritbot.Jun 29 2023, 8:44 PM
gerritbot added a comment.Jun 29 2023, 8:49 PM

Change 934354 had a related patch set uploaded (by Mstyles; author: Sohom Datta):

[mediawiki/extensions/ProofreadPage@REL1_40] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934354

gerritbot added a project: Patch-For-Review.Jun 29 2023, 8:49 PM

Change 934355 had a related patch set uploaded (by Mstyles; author: Sohom Datta):

[mediawiki/extensions/ProofreadPage@REL1_39] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934355

gerritbot added a comment.Jun 29 2023, 8:50 PM

Change 934356 had a related patch set uploaded (by Mstyles; author: Sohom Datta):

[mediawiki/extensions/ProofreadPage@REL1_38] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934356

Mstyles renamed this task from ProofreadPage leaks suppressed user via the API and config variables to CVE-2023-37253 ProofreadPage leaks suppressed user via the API and config variables.Jun 30 2023, 5:46 PM
Mstyles renamed this task from CVE-2023-37253 ProofreadPage leaks suppressed user via the API and config variables to CVE-2023-37253: ProofreadPage leaks suppressed user via the API and config variables.
gerritbot added a comment.Jun 30 2023, 6:31 PM

Change 934356 abandoned by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_38] Prevent hidden users from being exposed via public interfaces

Reason:

fixed in master

https://gerrit.wikimedia.org/r/934356

gerritbot added a comment.Jun 30 2023, 6:31 PM

Change 934355 abandoned by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_39] Prevent hidden users from being exposed via public interfaces

Reason:

https://gerrit.wikimedia.org/r/934355

gerritbot added a comment.Jun 30 2023, 6:31 PM

Change 934354 abandoned by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_40] Prevent hidden users from being exposed via public interfaces

Reason:

https://gerrit.wikimedia.org/r/934354

gerritbot added a comment.Jun 30 2023, 6:32 PM

Change 934356 restored by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_38] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934356

gerritbot added a comment.Jun 30 2023, 6:32 PM

Change 934355 restored by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_39] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934355

gerritbot added a comment.Jun 30 2023, 6:32 PM

Change 934354 restored by Mstyles:

[mediawiki/extensions/ProofreadPage@REL1_40] Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934354

gerritbot added a comment.Jun 30 2023, 6:55 PM

Change 934410 merged by jenkins-bot:

[mediawiki/extensions/ProofreadPage@master] SECURITY: Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934410

gerritbot added a comment.Jun 30 2023, 6:59 PM

Change 934355 merged by jenkins-bot:

[mediawiki/extensions/ProofreadPage@REL1_39] SECURITY: Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934355

gerritbot added a comment.Jun 30 2023, 7:00 PM

Change 934354 merged by jenkins-bot:

[mediawiki/extensions/ProofreadPage@REL1_40] SECURITY: Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934354

gerritbot added a comment.Jun 30 2023, 7:31 PM

Change 934356 merged by Umherirrender:

[mediawiki/extensions/ProofreadPage@REL1_38] SECURITY: Prevent hidden users from being exposed via public interfaces

https://gerrit.wikimedia.org/r/934356

Mstyles closed this task as Resolved.Jun 30 2023, 7:48 PM
Mstyles claimed this task.
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL