Page MenuHomePhabricator
Create Task
Maniphest T361293

CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Mar 28 2024, 7:54 PM
Tags
Referenced Files
F45691398: 2024-04-10_11-32-52.png
Apr 10 2024, 6:39 PM
F45689843: 2024-04-10_11-16-12.png
Apr 10 2024, 6:39 PM
F45689241: 2024-04-10_09-41-16.png
Apr 10 2024, 6:39 PM
F45689156: 2024-04-10_09-45-10.png
Apr 10 2024, 6:39 PM
F45688500: 2024-04-10_09-47-31.png
Apr 10 2024, 6:39 PM
F45691413: 2024-04-10_11-33-37.png
Apr 10 2024, 6:39 PM
F45689825: 2024-04-10_11-16-32.png
Apr 10 2024, 6:39 PM
F45688974: 2024-04-10_09-48-59.png
Apr 10 2024, 6:39 PM
View All 14 Files
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
kostajh
View All 9 Subscribers

Description

If a user with the checkuser group but not the suppressor group runs a 'Get users' check using Special:CheckUser on an IP address that the hidden user has used, they can see the username of the hidden user in the results list.

For example:

The block entry with hideuser setThe user appearing in the results list for a user without the suppressor groupThe contributions page for that hidden user
image.png (96×1 px, 39 KB)
image.png (280×1 px, 68 KB)
image.png (304×1 px, 28 KB)
Steps to reproduce
  1. Block a user with hideuser enabled using an account with the suppressor group
  2. Log into an account with just the checkuser group
  3. Run a 'Get users' check in Special:CheckUser on the IP address used by the account that was blocked in step 2
  4. Search for the username of the blocked user

What happens
The username of the hidden user is shown

What should happen
The username of the hidden should not be visible on the page and is replaced with username hidden

QA Results - Local

ACStatusDetails
1https://phabricator.wikimedia.org/T361293 here

Details

Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Hide hideuser blocked users in 'Get users'mediawiki/extensions/CheckUserREL1_39+123 -103
SECURITY: Hide hideuser blocked users in 'Get users'mediawiki/extensions/CheckUserREL1_40+117 -97
SECURITY: Hide hideuser blocked users in 'Get users'mediawiki/extensions/CheckUserREL1_41+197 -97
SECURITY: Hide hideuser blocked users in 'Get users'mediawiki/extensions/CheckUsermaster+193 -97
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Mar 28 2024, 7:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 7:54 PM
Dreamy_Jazz updated the task description. (Show Details)Mar 28 2024, 7:54 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team.
Dreamy_Jazz updated the task description. (Show Details)Mar 28 2024, 7:58 PM
JJMC89 added a project: Vuln-Infoleak.Mar 28 2024, 8:11 PM
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)).Mar 28 2024, 8:14 PM
Dreamy_Jazz added subscribers: Tchanders, STran, kostajh.
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 1 2024, 2:05 PM
Dreamy_Jazz set the point value for this task to 2.Apr 1 2024, 4:30 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 1 2024, 5:16 PM

Proposed patch:

T361293.patch15 KBDownload

Dreamy_Jazz added a project: Patch-For-Review.Apr 2 2024, 9:07 AM
Dreamy_Jazz claimed this task.Apr 2 2024, 10:43 AM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:53 PM
sbassett added a project: security-bug.Apr 2 2024, 6:59 PM
Tchanders added a comment.Apr 3 2024, 9:40 AM

Looks good to me: +2

Dreamy_Jazz added a comment.Apr 3 2024, 9:45 AM

I'll deploy this now.

Dreamy_Jazz moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 3 2024, 10:02 AM
Dreamy_Jazz moved this task from In Progress to Ready on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 3 2024, 10:19 AM
Dreamy_Jazz moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.
Dreamy_Jazz added a comment.Apr 3 2024, 12:46 PM

As this fix has been deployed to production and the CheckUser extension is not in the tarball, the fix can be uploaded to gerrit now as done for previous CheckUser security bugs. To avoid merge conflicts and to allow QA sooner than later, I will do that.

Dreamy_Jazz added a subscriber: gerritbot.Apr 3 2024, 12:46 PM
gerritbot added a comment.Apr 3 2024, 12:48 PM

Change #1016763 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016763

gerritbot added a comment.Apr 3 2024, 1:20 PM

Change #1016763 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016763

gerritbot added a comment.Apr 3 2024, 3:26 PM

Change #1016777 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016777

Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.26; 2024-04-09).Apr 3 2024, 4:02 PM
gerritbot added a comment.Apr 3 2024, 5:39 PM

Change #1016779 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016779

gerritbot added a comment.Apr 3 2024, 5:43 PM

Change #1016780 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016780

gerritbot added a comment.Apr 3 2024, 5:50 PM

Change #1016777 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016777

gerritbot added a comment.Apr 3 2024, 6:00 PM

Change #1016779 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016779

gerritbot added a comment.Apr 3 2024, 6:21 PM

Change #1016780 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hideuser blocked users in 'Get users'

https://gerrit.wikimedia.org/r/1016780

sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review, Security-Team.Apr 3 2024, 7:09 PM
Dreamy_Jazz moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 4 2024, 1:31 PM
Dreamy_Jazz added subscribers: dom_walden, GMikesell-WMF, Djackson-ctr.Apr 4 2024, 1:41 PM
mmartorana changed the task status from Open to In Progress.Apr 4 2024, 2:24 PM
mmartorana triaged this task as Medium priority.
hashar subscribed.Apr 9 2024, 8:25 AM

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

Dreamy_Jazz updated the task description. (Show Details)Apr 9 2024, 9:45 PM
hashar unsubscribed.Apr 10 2024, 12:50 PM
GMikesell-WMF added a comment.Apr 10 2024, 6:39 PM

@Dreamy_Jazz The username is not shown when you just have check user rights but not suppressor, as seen in the screenshots below. I will move this to Done. Thanks for all your work and steps!

Status: ✅PASS
Environment: Local: 1.43.0-alpha (da9ac63) 17:05, 9 April 2024; Checkuser: 2.5 (eda557a) 19:43, 9 April 2024
OS: macOS Sonoma 14.4.1
Browser: Chrome 123, Firefox 123, Safari 17.3
Skins. Vector 2022, Vector 2010, Minerva, Monobook, Timeless
Device: MBA M2
Emulated Device:: n/a
Test Links:
Special:Checkuser
Special:CheckUserLog
Special:Contributions
Special:Investigate
http://localhost:8080/wiki/Cat

✅AC1: https://phabricator.wikimedia.org/T361293

RightsUser RightsSpecial:CheckuserSpecial:ContributionsSpecial:CheckUserLogSpecial:Investigate
Checkuser & Suppressor
2024-04-10_09-47-55.png (441×3 px, 132 KB)
2024-04-10_09-48-41.png (1×3 px, 277 KB)
2024-04-10_09-48-59.png (303×3 px, 99 KB)
2024-04-10_11-16-32.png (667×3 px, 169 KB)
2024-04-10_11-33-37.png (613×3 px, 159 KB)
Just Checkuser
2024-04-10_09-47-31.png (438×3 px, 134 KB)
2024-04-10_09-45-10.png (1×3 px, 305 KB)
2024-04-10_09-41-16.png (400×3 px, 96 KB)
2024-04-10_11-16-12.png (670×3 px, 165 KB)
2024-04-10_11-32-52.png (609×3 px, 162 KB)
GMikesell-WMF updated the task description. (Show Details)Apr 10 2024, 6:40 PM
GMikesell-WMF moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.
Dreamy_Jazz closed this task as Resolved.Apr 10 2024, 7:11 PM
Dreamy_Jazz moved this task from Inbox to CheckUser on the CheckUser board.May 28 2024, 4:50 PM
mmartorana renamed this task from Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it to CVE-2024-40606: Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it.Jul 8 2024, 5:32 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:50 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits