Page MenuHomePhabricator

CVE-2023-45370: SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo should check for the "sportsteamsmanager" user right
Closed, ResolvedPublicSecurity

Description

...but currently they don't. Oops. Or rather, they don't do that properly: both special pages' __construct method calls the parent constructor with sportsteamsmanager as the 2nd argument, but this does not actually restrict access to the page and further checks should need to be done in either execute() or (preferably) executeLogo() (for consistency with existing similar checks).

To be precise, both special pages do check that the user has the basic upload user right as well as that the DB isn't locked, that the target directory is writable, etc. in executeLogo() but in terms of permissions, that's it. The thing is, most registered users on most sites will have the upload right whereas sportsteamsmanager (which grants access to its namesake special page, Special:SportsTeamsManager, which is used to add, edit and remove sports and sports teams) will likely be granted only to a handful of users. That's why this matters (in theory; in practise SportsTeams remains so site-specific that most sites are unlikely to ever even consider installing it).

On the other hand, this isn't super exploitable and a potential attacker would still need to manually set the correct id URL param to do any real damage; but then again the uploads done via these special pages aren't logged anywhere currently, which is kinda annoying and would make attacks harder to debug.

Event Timeline

ashley changed the task status from Open to In Progress.Sep 6 2023, 12:53 AM
ashley claimed this task.

The patch got merged and this is now resolved.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 21 2023, 12:04 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
Mstyles renamed this task from SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo should check for the "sportsteamsmanager" user right to CVE-2023-45370: SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo should check for the "sportsteamsmanager" user right.Oct 10 2023, 4:02 PM