Page MenuHomePhabricator
Create Task
Maniphest T363884

CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF
Closed, ResolvedPublicSecurity
Actions

Description

Special:ChangeRating can be used to change a page's rating, but the page has no token checking and on top of that, it does write queries on a GET request (!).

I'll fix this soon-ish together with a bunch of other "modernization"/cleanup patches to ARE...

Details

SubjectRepoBranchLines +/-
[SECURITY] Fix CSRF in Special:ChangeRatingmediawiki/extensions/ArticleRatingsREL1_41+14 -4
[SECURITY] Fix CSRF in Special:ChangeRatingmediawiki/extensions/ArticleRatingsREL1_42+14 -4
[SECURITY] Fix CSRF in Special:ChangeRatingmediawiki/extensions/ArticleRatingsREL1_40+14 -4
[SECURITY] Fix CSRF in Special:ChangeRatingmediawiki/extensions/ArticleRatingsmaster+14 -4
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.May 1 2024, 1:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 1 2024, 1:02 AM
ashley claimed this task.May 1 2024, 1:03 AM
ashley added projects: ArticleRatings, Vuln-CSRF.
ashley moved this task from Backlog to Bugs on the ArticleRatings board.May 1 2024, 1:52 PM
Bawolff subscribed.May 1 2024, 10:26 PM

the patch at https://pastebin.com/9wVWHEpa lgtm

ashley mentioned this in rEARAc4cb89b5e65c: [SECURITY] Fix CSRF in Special:ChangeRating.May 1 2024, 10:44 PM
ashley closed this task as Resolved.May 1 2024, 10:49 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".May 1 2024, 10:52 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett edited projects, added SecTeam-Processed; removed Security-Team.May 2 2024, 3:24 PM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).
gerritbot added a comment.Jul 3 2024, 2:39 PM

Change #1051766 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/extensions/ArticleRatings@REL1_41] [SECURITY] Fix CSRF in Special:ChangeRating

https://gerrit.wikimedia.org/r/1051766

gerritbot added a project: Patch-For-Review.Jul 3 2024, 2:39 PM

Change #1051767 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/extensions/ArticleRatings@REL1_42] [SECURITY] Fix CSRF in Special:ChangeRating

https://gerrit.wikimedia.org/r/1051767

gerritbot added a comment.Jul 3 2024, 2:42 PM

Change #1051768 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/extensions/ArticleRatings@REL1_40] [SECURITY] Fix CSRF in Special:ChangeRating

https://gerrit.wikimedia.org/r/1051768

gerritbot added a comment.Jul 5 2024, 7:38 PM

Change #1051768 abandoned by Umherirrender:

[mediawiki/extensions/ArticleRatings@REL1_40] [SECURITY] Fix CSRF in Special:ChangeRating

Reason:

REL1_40 is end of life

https://gerrit.wikimedia.org/r/1051768

gerritbot added a comment.Jul 5 2024, 7:45 PM

Change #1051767 merged by Umherirrender:

[mediawiki/extensions/ArticleRatings@REL1_42] [SECURITY] Fix CSRF in Special:ChangeRating

https://gerrit.wikimedia.org/r/1051767

gerritbot added a comment.Jul 5 2024, 7:46 PM

Change #1051766 merged by jenkins-bot:

[mediawiki/extensions/ArticleRatings@REL1_41] [SECURITY] Fix CSRF in Special:ChangeRating

https://gerrit.wikimedia.org/r/1051766

mmartorana mentioned this in rEARAafe43a708efd: [SECURITY] Fix CSRF in Special:ChangeRating.Jul 5 2024, 7:50 PM
mmartorana mentioned this in rEARA319b62b4d168: [SECURITY] Fix CSRF in Special:ChangeRating.
mmartorana renamed this task from Special:ChangeRating is vulnerable to CSRF to CVE-2024-40603: Special:ChangeRating is vulnerable to CSRF.Jul 8 2024, 5:38 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 7:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits