CVE-2023-37252: Special:CheckUserLog shows usernames which have been hidden
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Dreamy_Jazz
	Mar 2 2023, 2:48 AM

Description

Steps to reproduce:

Find a user who has been hidden as part of their block (With "Hide username from edits and lists" checked)
Log into an account that has the checkuser-log right (on WMF wikis this all users with steward or checkuser groups as well as ombuds) and importantly not the suppress right.
Either search for the hidden username or find the username in the log with no applied filters, noting that the hidden username is shown.

What should have happened
The hidden username should not have been displayed. Instead (similar to Special:Log) it should be possible to search by the hidden username but not see the hidden username displayed in the log entries.

Other info
Reproduced this issue on the English Wikipedia by asking a non-suppressor checkuser to load the log for a check on a hidden user.

Status:

Special:CheckUserLog - patch deployed
CheckUser API - patch uploaded to task and in review

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Subject	Repo	Branch	Lines +/-
Fix constructor, missing use. Follow up to fa250d83ecc77	mediawiki/extensions/CheckUser	REL1_38	+2 -0
SECURITY: Hide hidden users in CheckUserLog API	mediawiki/extensions/CheckUser	REL1_35	+21 -0
SECURITY: Hide hidden users in Special:CheckUserLog	mediawiki/extensions/CheckUser	REL1_35	+56 -3
SECURITY: Hide hidden users in CheckUserLog API	mediawiki/extensions/CheckUser	REL1_38	+30 -2
SECURITY: Hide hidden users in CheckUserLog API	mediawiki/extensions/CheckUser	REL1_39	+32 -2
SECURITY: Hide hidden users in Special:CheckUserLog	mediawiki/extensions/CheckUser	REL1_39	+79 -17
SECURITY: Hide hidden users in Special:CheckUserLog	mediawiki/extensions/CheckUser	REL1_38	+81 -7
SECURITY: Hide hidden users in Special:CheckUserLog	mediawiki/extensions/CheckUser	master	+77 -17
SECURITY: Hide hidden users in CheckUserLog API	mediawiki/extensions/CheckUser	master	+29 -3
SECURITY: Hide hidden users in CheckUserLog API	mediawiki/extensions/CheckUser	REL1_40	+29 -3
SECURITY: Hide hidden users in Special:CheckUserLog	mediawiki/extensions/CheckUser	REL1_40	+77 -17

Related Objects

Mentioned In: T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1)
T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)
Mentioned Here: T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)
T326865: CVE-2024-40597: Special:CheckUser can expose suppressed information for log events

Event Timeline

Dreamy_Jazz created this task.Mar 2 2023, 2:48 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2023, 2:48 AM

Dreamy_Jazz added a project: CheckUser.Mar 2 2023, 2:48 AM

Dreamy_Jazz added a project: Vuln-Infoleak.Mar 2 2023, 2:56 AM

Dreamy_Jazz updated the task description. (Show Details)Mar 2 2023, 3:02 AM

Instead (similar to Special:Log) it should be possible to search by the hidden username but not see the hidden username displayed in the log entries.

Well, you can kind of search by a hidden username, but only if you know it, right? When I search for hidden/suppressed usernames at enwiki/Special:Log, as performers or targets, I get the red text and no auto-complete in the search input, like I would for non-existent users, e.g. https://w.wiki/6PwK. With my staff rights, I can then view details about them below (blocks, etc.), for anons and unprivileged users, those details do not show up. But I do not get any obvious clues from the search inputs that hidden users ever existed.

Yeah. I'm hoping that the Special:Log interface of being able to search by it if you already know the username would be how the Special:CheckUserLog would work once this is resolved. The CheckUserLog already does not auto-suggest usernames which have been hidden, but someone who doesn't know it could see it when scrolling through the log with no filters enabled.

mmartorana changed the task status from Open to In Progress.Mar 13 2023, 5:47 PM

mmartorana triaged this task as Medium priority.

mmartorana changed Risk Rating from N/A to Low.

Working on a patch.

T330968.patch7 KBDownload

For the above patch:

Rights the user has	Before	After
hideuser (through suppressor group)
no hideuser right

The "Show IP" button being italic when the user is hidden is a separate issue and is out of the scope for this task.

Dreamy_Jazz claimed this task.Mar 15 2023, 11:20 AM

Dreamy_Jazz added a project: Patch-For-Review.

Dreamy_Jazz attached a referenced file: F36912558: image.png. (Show Details)

Dreamy_Jazz attached a referenced file: F36912559: image.png. (Show Details)

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Mar 22 2023, 5:19 PM

Xaosflux subscribed.Mar 24 2023, 4:34 PM

Related? A checkuser (who is not a suppresser) reporting that when running a check, the already locally suppressed/globally hidden username still appeared in a cu report, e.g:

• User logs 1:23:45 (Username or IP removed) Successfully logged in to Wikipedia as HIDDENUSERNAMEHERE
IP: 1.1.1.1 USERAGENTHERE

@Xaosflux that would be covered under T326865. While the exposed information is similar, this task fixes Special:CheckUserLog while the issue you mention is for Special:CheckUser/Special:Investigate. That leak of information you mention needs many other fixes to make it possible to be fixed.

A fix is also likely needed for the CheckUserLog API, but I have not tested this yet. My in review patch only fixes Special:CheckUserLog.

Dreamy_Jazz updated the task description. (Show Details)Mar 24 2023, 4:43 PM

In T330968#8697127, @Dreamy_Jazz wrote:

T330968.patch7 KBDownload

Deployed

Thanks

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Apr 3 2023, 4:15 PM

sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 9:09 PM

Dreamy_Jazz updated the task description. (Show Details)Apr 4 2023, 9:14 PM

Testing locally showed that the API also has the same problem. Patch for the API code (tested locally):

T330968-api.patch3 KBDownload

Dreamy_Jazz moved this task from Watching to Security Patch To Deploy on the Security-Team board.Jun 19 2023, 10:05 PM

Dreamy_Jazz updated the task description. (Show Details)

When trying to deploy this https://test.wikipedia.org/w/api.php?action=query&format=json&prop=&list=checkuserlog&formatversion=2 delivered the following error (no idea why).

[4eb02b83-1362-4327-ac17-1a9c9383c680] /w/api.php   Error: Call to a member function isHidden() on null
from /srv/mediawiki/php-1.41.0-wmf.13/extensions/CheckUser/src/Api/ApiQueryCheckUserLog.php(136)
#0 /srv/mediawiki/php-1.41.0-wmf.13/includes/api/ApiQuery.php(662): MediaWiki\CheckUser\Api\ApiQueryCheckUserLog->execute()
#1 /srv/mediawiki/php-1.41.0-wmf.13/includes/api/ApiMain.php(1913): ApiQuery->execute()
#2 /srv/mediawiki/php-1.41.0-wmf.13/includes/api/ApiMain.php(890): ApiMain->executeAction()
#3 /srv/mediawiki/php-1.41.0-wmf.13/includes/api/ApiMain.php(861): ApiMain->executeActionWithErrorHandling()
#4 /srv/mediawiki/php-1.41.0-wmf.13/api.php(95): ApiMain->execute()
#5 /srv/mediawiki/php-1.41.0-wmf.13/api.php(48): wfApiMain()
#6 /srv/mediawiki/w/api.php(3): require(string)
#7 {main}

wikiadmin2023@10.64.132.14(testwiki)> select * from cu_log order by cul_id desc limit 1\G
*************************** 1. row ***************************
                 cul_id: 1300
          cul_timestamp: 20230619233956
               cul_type: useredits
          cul_target_id: 54726
        cul_target_text: Zabe (test 5)
         cul_target_hex: 
        cul_range_start: 
          cul_range_end: 
              cul_actor: 111536
          cul_reason_id: 238728
cul_reason_plaintext_id: 238728
1 row in set (0.001 sec)

wikiadmin2023@10.64.132.14(testwiki)>

The account Zabe (test 5) was suppressed while performing the api request.

Apologies, didn't test how IPs would be treated as I tested by looking for entries through filtering by username. newFromName returns null for IPs. Updated patch (that null checks):

T330968-api.patch3 KBDownload

In T330968#8947658, @Dreamy_Jazz wrote:

Apologies, didn't test how IPs would be treated as I tested by looking for entries through filtering by username. newFromName returns null for IPs. Updated patch (that null checks):

T330968-api.patch3 KBDownload

Thanks, deployed: https://sal.toolforge.org/log/Uq0m1ogBhuQtenzv6PNe

In T330968#8947661, @Zabe wrote:

In T330968#8947658, @Dreamy_Jazz wrote:

Apologies, didn't test how IPs would be treated as I tested by looking for entries through filtering by username. newFromName returns null for IPs. Updated patch (that null checks):

T330968-api.patch3 KBDownload

Thanks, deployed: https://sal.toolforge.org/log/Uq0m1ogBhuQtenzv6PNe

Thanks for the patch and deploy. Tracking at T276237 and for the upcoming supplemental release T333626.

Mstyles added a subscriber: gerritbot.Jun 27 2023, 11:00 PM

Change 932822 had a related patch set uploaded (by Mstyles; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/932822

gerritbot added a project: Patch-For-Review.Jun 27 2023, 11:10 PM

Change 933686 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Hide hidden users from users without hideuser right on CheckUserLog

https://gerrit.wikimedia.org/r/933686

Change 933630 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933630

Change 933631 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/933631

Change 933631 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/933631

Change 933630 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933630

Change 933686 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/933686

Change 932822 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/932822

Change 933916 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933916

Change 933919 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933919

Change 934390 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/934390

Change 934392 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/934392

mmartorana closed this task as Resolved.Jun 30 2023, 2:44 PM

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".

mmartorana changed the edit policy from "Custom Policy" to "All Users".

@mmartorana a patch has not been created for release 1.35. Should this remain open until this is done?

Furthermore, fixes for 1.38 and 1.39 are yet to be merged.

mmartorana changed the visibility from "Public (No Login Required)" to "Custom Policy".Jun 30 2023, 2:53 PM

mmartorana changed the edit policy from "All Users" to "Custom Policy".

Change 934392 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/934392

Change 934390 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/934390

Change 933916 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933916

Change 933919 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_38] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/933919

Hi @Dreamy_Jazz - At present, my plan is to resolve and publish the task since the patch has been successfully integrated into all other branches. Unfortunately, a new patch should be created specifically for REL1_35.

Okay. Thanks for the info. I start a contracting role on Monday and I may be able to resolve the conflicts when cherry picking the fixes to release 1.35 from Monday. The changes from 1.38 should be able to cherry-picked after resolving conflicts without a need to modify them significantly.

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 30 2023, 4:02 PM

mmartorana changed the edit policy from "Custom Policy" to "All Users".

mmartorana renamed this task from Special:CheckUserLog shows usernames which have been hidden to CVE-2023-37252: Special:CheckUserLog shows usernames which have been hidden.Jun 30 2023, 5:55 PM

Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 30 2023, 5:59 PM

Change 935439 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/935439

Change 935474 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/935474

sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM

Change 935474 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Hide hidden users in Special:CheckUserLog

https://gerrit.wikimedia.org/r/935474

Change 935439 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_35] SECURITY: Hide hidden users in CheckUserLog API

https://gerrit.wikimedia.org/r/935439

FYI, there was some comments on chat that the REL1_38 backport is incorrect (Looks like SpecialCheckUserLog.php constructor never assigns its argument to $this->userFactory)

Change 941399 had a related patch set uploaded (by Brian Wolff; author: Brian Wolff):

[mediawiki/extensions/CheckUser@REL1_38] Fix constructor. Follow up to fa250d83ecc77

https://gerrit.wikimedia.org/r/941399

Change 941399 merged by Dreamy Jazz:

[mediawiki/extensions/CheckUser@REL1_38] Fix constructor, missing use. Follow up to fa250d83ecc77