Page MenuHomePhabricator
Create Task
Maniphest T354045

API incorrectly marks formatted html output as public cacheable even though it contains csrf token
Closed, ResolvedPublicSecurity
Actions

Description

Note: not exploitable in WMF's config, see bottom for details why.

Consider a URL like https://en.wikipedia.org/w/api.php?action=query&uselang=en&maxage=6000&smaxage=6000&uselang=en

If you are logged in, the response body will contain your edit token (Inside a blob of JS on the page).

It will also contain the header cache-control: s-maxage=6000, max-age=6000, public even if you are logged in

This is a signal to proxies that this response is safe to cache in a shared cache.

We should not be sending public cache headers for any request with private user data in it.

In theory, the vary: cookie header should stop compliant proxies from doing anything bad, but often people disable varrying on all cookies.

This is not exploitable on WMF as far as i can tell because CDN servers refuse to cache anything where the request has a cookie with session or token in the name. I believe this might be exploitable in other configurations of MediaWiki with different varnish configs. You can get around that using centralauthtoken parameter, however this puts RL into safe mode, and i couldn't find anything useful to do with a cached safemode request where the URL is unguessable (POST of course, also causes it to become uncacheable).

Anyways, i don't think this is exploitable, but definitely not best practise. Anything using a "formatted" output should be marked 'anon-public-user-private' similar to how uselang=user is handled.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
API: mark HTML output as non-cacheablemediawiki/coreREL1_41+50 -0
API: mark HTML output as non-cacheablemediawiki/coreREL1_40+50 -0
API: mark HTML output as non-cacheablemediawiki/coreREL1_39+50 -0
API: mark HTML output as non-cacheablemediawiki/coremaster+50 -0
Customize query in gerrit

Event Timeline

Bawolff created this task.Dec 27 2023, 6:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 27 2023, 6:46 AM
Bawolff added a project: MediaWiki-Action-API.Dec 27 2023, 6:48 AM
Cleo_Lemoisson assigned this task to Mstyles.Jan 8 2024, 5:11 PM
Mstyles added projects: SecTeam-Processed, Vuln-Infoleak, MediaWiki-Engineering.Jan 8 2024, 11:09 PM

Since this is not exploitable on WMF servers, I'm marking this as a low risk ticket. However, it would still be valuable for someone from the Mediawiki Engineering team to check this out since CSRF tokens shouldn't be viewable at all, anywhere.

Mstyles changed Risk Rating from N/A to Low.Jan 8 2024, 11:09 PM
Mstyles removed a project: Security-Team.
Atieno moved this task from Inbox, needs triage to MediaWiki Interfaces team on the MediaWiki-Engineering board.Jan 10 2024, 1:37 PM
Atieno added a project: API Platform.
Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 12 2024, 3:37 PM
Ladsgroup added a subscriber: FJoseph-WMF.Jan 24 2024, 2:43 PM
daniel closed this task as Resolved.Jan 24 2024, 3:20 PM
daniel subscribed.

I just confirmed that the response from the URL given in the task description now contains cache-control: private, must-revalidate, max-age=6000. Resolving.

sbassett edited projects, added MW-Interfaces-Team; removed API Platform.Jan 24 2024, 4:59 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Jan 24 2024, 8:19 PM

Change 992771 had a related patch set uploaded (by Zabe; author: Daniel Kinzler):

[mediawiki/core@REL1_41] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992771

gerritbot added a project: Patch-For-Review.Jan 24 2024, 8:19 PM

Change 992772 had a related patch set uploaded (by Zabe; author: Daniel Kinzler):

[mediawiki/core@REL1_40] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992772

gerritbot added a comment.Jan 24 2024, 8:19 PM

Change 992773 had a related patch set uploaded (by Zabe; author: Daniel Kinzler):

[mediawiki/core@REL1_39] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992773

gerritbot added a comment.Jan 25 2024, 12:11 AM

Change 992773 merged by jenkins-bot:

[mediawiki/core@REL1_39] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992773

gerritbot added a comment.Jan 25 2024, 12:13 AM

Change 992772 merged by jenkins-bot:

[mediawiki/core@REL1_40] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992772

gerritbot added a comment.Jan 25 2024, 12:23 AM

Change 992771 merged by jenkins-bot:

[mediawiki/core@REL1_41] API: mark HTML output as non-cacheable

https://gerrit.wikimedia.org/r/992771

Maintenance_bot removed a project: Patch-For-Review.Jan 25 2024, 12:30 AM
ReleaseTaggerBot added projects: MW-1.39-notes, MW-1.40-notes, MW-1.41-notes.Jan 25 2024, 2:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits