Page MenuHomePhabricator
Create Task
Maniphest T34716

$wgWhitelistRead leaks username data (Because it allows viewing ?action=history)
Open, LowPublicFeature
Actions

Description

$wgWhitelistRead allows actions other than reading for a page. This can leak account names on wikis where they're supposed to be private: http://arbcom.en.wikipedia.org/w/index.php?title=Main_Page&action=history
http://en.wikipedia.org/w/index.php?title=User_talk:Kirill_Lokshin&oldid=463197526#Quick_question

Also, something weird is going on here:
http://arbcom.en.wikipedia.org/wiki/Main_Page
http://arbcom.en.wikipedia.org/w/index.php?title=Main_Page

Version: unspecified
Severity: enhancement

Details

Reference
bz32716
SubjectRepoBranchLines +/-
SECURITY: Require 'read' right for most actionsmediawiki/coremaster+21 -0
SECURITY: Require 'read' right for most actionsmediawiki/coreREL1_36+21 -0
SECURITY: Require 'read' right for most actionsmediawiki/coreREL1_37+21 -0
SECURITY: Require 'read' right for most actionsmediawiki/coreREL1_35+21 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:05 AM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz32716.
bzimport added a subscriber: Unknown Object (MLST).
Emufarmers created this task.Nov 30 2011, 3:20 AM
RobLa-WMF added a comment.Feb 2 2012, 12:56 AM

Sam, could you take a look at this one?

Reedy added a comment.Feb 2 2012, 3:17 PM

I'm presuming that the wiki falls under "private"...

'private' => array( 'Main Page', 'Special:Userlogin', 'Special:Userlogout', '-', 'MediaWiki:Monobook.css', 'MediaWiki:Monobook.js' ),

MZMcBride added a comment.Feb 3 2012, 11:01 PM

Some of the strange behavior being exhibited here is due to "Main Page" being whitelisted, but on this particular wiki, that page is a redirect (to "Main page").

Reedy added a comment.Feb 7 2012, 10:12 PM

CC'ing Phillippe as this is happening on arbcomwiki

Philippe-WMF added a comment.Feb 7 2012, 10:22 PM

Thanks, Reedy. Can we un-whitelist the Main page? Understanding that I'm a technical moron, and may not know the full implications of that....

tstarling added a comment.Mar 19 2012, 10:44 AM

We can remove the main page from the whitelist on wikis that want that. Some private wiki main pages actually contain useful information for the public, so I wouldn't want to just do it on all of them.

RobLa-WMF added a comment.Apr 3 2012, 9:10 PM

When I look at this:
http://arbcom.en.wikipedia.org/w/index.php?title=Main_Page&action=history

I see "(username removed)‎" and "(edit summary removed)". Is that because someone took some manual action in this case?

I'm going to assume that since this at least has a workaround, this is normal priority. It'd be helpful to have an idea of what the "right" solution is, since it's not obvious to me.

Emufarmers added a comment.Apr 4 2012, 1:46 AM

(In reply to comment #7)

I see "(username removed)‎" and "(edit summary removed)". Is that because
someone took some manual action in this case?

Yes.

I'm going to assume that since this at least has a workaround, this is normal
priority. It'd be helpful to have an idea of what the "right" solution is,
since it's not obvious to me.

The simple (conceptually, if not in implementation!) solution would be to make $wgWhitelistRead only whitelist reading (and only the current version of a page).

I think the weirdness I originally noted with "/w/index.php?title=" vs. "/wiki/" had to do with whether the content (of the redirect target?) was displayed. I assume http://arbcom.en.wikipedia.org/w/index.php?title=Main_Page&diff=next&oldid=1797 was a work-around for that. (There must also be some separate caching going on: the sidebar still looked different for one than the other until I purged the cache for the page.)

tstarling added a comment.Apr 4 2012, 2:51 AM

(In reply to comment #8)

The simple (conceptually, if not in implementation!) solution would be to make
$wgWhitelistRead only whitelist reading (and only the current version of a
page).

I don't know whether that would be acceptable for other private wikis. There may be cases where it's desirable to have version information available for public pages, and presumably it's fairly rare for private wiki users to have secret usernames.

csteipp added a comment.Apr 20 2012, 10:15 PM

Hi Sam / Tim,

Trying to understand what (if anything) needs to happen for this bug. It sounds like Tim doesn't think Emufarmer's suggesting that $wgWhitelistRead only allow reading is desirable, and I would agree. I sounds like the issue that spawned the discussion should have been solved by strong passwords and blocking ip's that attempt to brute force. So sites that really want to keep their usernames secret should be pretty rare.

But is this something that we would want to implement as an extension, for sites that want it?

tstarling added a comment.May 2 2012, 12:29 AM

(In reply to comment #10)

I sounds like the issue that spawned
the discussion should have been solved by strong passwords and blocking ip's
that attempt to brute force.

We require a captcha for IPs that attempt brute force password guessing. It seems to be effective, and avoids the collateral damage that can happen when shared IPs are blocked.

csteipp added a comment.May 2 2012, 4:35 PM

(In reply to comment #11)

We require a captcha for IPs that attempt brute force password guessing. It
seems to be effective, and avoids the collateral damage that can happen when
shared IPs are blocked.

Very cool. I was hoping something like that existed, but hadn't come across it yet.

(In reply to comment #8)

The simple (conceptually, if not in implementation!) solution would be to make
$wgWhitelistRead only whitelist reading (and only the current version of a
page).

So in response to this recommendation specifically, it sounds like an enhancement that would be nice to have for sites that want some extra security through obscurity. Should we classify this as an enhancement request, and add it to the backlog?

tstarling added a comment.Aug 15 2012, 11:54 PM

(In reply to comment #12)

So in response to this recommendation specifically, it sounds like an
enhancement that would be nice to have for sites that want some extra security
through obscurity. Should we classify this as an enhancement request, and add
it to the backlog?

Yes.

jeremyb-phone subscribed.Dec 29 2014, 4:40 PM
Krenair subscribed.Jan 21 2015, 1:39 PM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
Luke081515 subscribed.Sep 13 2015, 6:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2015, 6:29 PM
Nemo_bis added a project: OKR-Work.Mar 13 2016, 10:14 AM
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMar 13 2016, 10:14 AM
csteipp mentioned this in T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.May 3 2016, 9:18 PM
Bawolff renamed this task from $wgWhitelistRead leaks username data to $wgWhitelistRead leaks username data (Because it allows viewing ?action=history).Dec 10 2017, 2:29 PM
Bawolff added a project: Vuln-Infoleak.Dec 10 2017, 2:32 PM
Krinkle subscribed.Aug 18 2018, 6:30 AM

If/when a distinction is made for actions, I assume all non-view actions will become restricted. Just for the record, the current visibility is not limited to action=history, it applies to others as well, such as action=info, and edit notices on action=edit.

chasemp added a project: Security.Feb 10 2020, 11:00 PM
Krinkle unsubscribed.Feb 11 2020, 12:14 AM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Aklapper removed a subscriber: wikibugs-l-list.Apr 12 2020, 9:55 AM
Zabe subscribed.Oct 4 2021, 5:14 PM
Legoktm mentioned this in T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .Dec 9 2021, 5:18 PM
taavi mentioned this in T297416: Restrict access to most actions on $wgWhitelistRead pages on private wikis.Dec 9 2021, 5:46 PM
Legoktm claimed this task.Dec 14 2021, 11:30 PM
Legoktm added a parent task: T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Dec 15 2021, 3:17 AM
Reedy removed a project: OKR-Work.Dec 15 2021, 12:07 PM
Reedy removed subscribers: Philippe-WMF, RobLa-WMF.
gerritbot added a comment.Dec 15 2021, 7:30 PM

Change 747573 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_35] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747573

gerritbot added a project: Patch-For-Review.Dec 15 2021, 7:30 PM

Change 747580 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_36] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747580

gerritbot added a comment.Dec 15 2021, 7:32 PM

Change 747587 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@REL1_37] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747587

gerritbot added a comment.Dec 15 2021, 7:46 PM

Change 747598 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/core@master] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747598

gerritbot added a comment.Dec 15 2021, 7:47 PM

Change 747573 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747573

Reedy closed this task as Resolved.Dec 15 2021, 7:54 PM
gerritbot added a comment.Dec 15 2021, 8:02 PM

Change 747587 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747587

gerritbot added a comment.Dec 15 2021, 8:25 PM

Change 747580 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747580

gerritbot added a comment.Dec 15 2021, 8:46 PM

Change 747598 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Require 'read' right for most actions

https://gerrit.wikimedia.org/r/747598

Maintenance_bot removed a project: Patch-For-Review.Dec 15 2021, 9:11 PM
Osnard mentioned this in T297896: Apply changes from 1.35.5 to unsupported legacy branch `REL1_31`.Dec 16 2021, 4:31 PM
Dylsss reopened this task as Open.Dec 17 2021, 10:48 PM
Dylsss subscribed.

Boldly reopening because the actual issue of usernames being leaked isn't truly fixed, and the exact same information is still available in other ways, e.g. via diffs and old revisions. All that needs to be done is append ?diff=next to the URL to access usernames, comments and older revisions.

Legoktm added a comment.Dec 18 2021, 3:50 AM

Yeah, you're right. I've been brainstorming on splitting out diffs into a separate action (action=diff), which would then require the 'read' right, mostly as a way of reducing the attack surface and complexity of action=view. But then you could still brute force oldids to get history, so I'm not really sure this is a solvable problem, or at least I'm not sure we care enough to fully solve it.

Legoktm removed Legoktm as the assignee of this task.Dec 23 2021, 5:56 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:00 AM
Stang mentioned this in T321796: Add main page on non-English privatewiki to wgWhitelistRead.Oct 27 2022, 8:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL