Page MenuHomePhabricator
Create Task
Maniphest T372209

CVE-2024-47846: Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection
Closed, ResolvedPublicSecurity
Actions

Assigned To
BlankEclair
Authored By
BlankEclair
Aug 11 2024, 1:32 AM
Tags
Referenced Files
F57573802: 2024-10-01_08-59.png
Sep 30 2024, 11:00 PM
F57573803: 2024-10-01_08-59_1.png
Sep 30 2024, 11:00 PM
F57269667: cargo-no-csrf-poc.mp4
Aug 12 2024, 4:14 PM
F57269665: T372209-poc.html
Aug 12 2024, 4:14 PM
F57267189: T372209.patch
Aug 11 2024, 11:01 AM
F57261316: cargo-delete-csrf.mp4
Aug 11 2024, 1:32 AM
Subscribers
Aklapper
BlankEclair
sbassett
Yaron_Koren

Description

Steps to replicate the issue (include links if applicable):

  • Install MediaWiki and Cargo
  • Login as an account with (recreatecargodata) and (deletecargodata)
  • Save the following into Template:Cargo/deletetest: <noinclude>{{#cargo_declare: _table = cargodeletetest}}</noinclude>
  • Go to Template:Cargo/deletetest?action=recreatedata and create the table
  • CSRF for Special:DeleteCargoTable:
    • Lure the victim to go to Special:DeleteCargoTable/cargodeletetest?delete
  • CSRF for Special:SwitchCargoTable:
    • Go to Template:Cargo/deletetest?action=recreatedata again and create the replacement table
    • Lure the victim to go to Special:SwitchCargoTable/cargodeletetest?switch

What happens?
The deletion or switch is prevented

What should have happened instead?
The deletion or switch happens

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

  • MediaWiki: 1.42.1 (523b312) 15:03, 1 August 2024
  • PHP: 8.1.20 (fpm-fcgi)
  • MariaDB: 11.4.2-MariaDB
  • Cargo: 3.6.1 (903c36c) 19:36, 6 August 2024

Other information (browser name/version, screenshots, etc.):
See also: https://www.mediawiki.org/wiki/Special:MyLanguage/Cross-site_request_forgery

Screen recording for Special:DeleteCargoTable:

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

BlankEclair created this task.Aug 11 2024, 1:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 11 2024, 1:32 AM
BlankEclair added a project: MediaWiki-extensions-Cargo.Aug 11 2024, 1:32 AM
BlankEclair added a subscriber: Yaron_Koren.
BlankEclair renamed this task from Special:DeleteCargoTable has no CSRF protection to Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection.Aug 11 2024, 1:44 AM
BlankEclair updated the task description. (Show Details)
JJMC89 added a project: Vuln-CSRF.Aug 11 2024, 5:49 AM
BlankEclair claimed this task.Aug 11 2024, 10:53 AM
BlankEclair added a comment.Aug 11 2024, 11:01 AM

T372209.patch2 KBDownload

Yaron_Koren added a comment.Aug 12 2024, 3:04 PM

@BlankEclair - thank you for this patch. Any security leak is bad, so I plan to check this fix in, but I just want to make sure I understand this problem, because it seems surprisingly minor. A malicious user can convince an administrator that the admin deleted or switched a Cargo table, where in actuality nothing was done?

BlankEclair added a comment.Aug 12 2024, 3:21 PM

No, the issue is that a malicious user can cause an administrator to delete or switch a table by simply letting them visit a link. (I've tried to use <iframe>s and <img>s to covertly trigger this bug as a PoC, but they refused to load or didn't send cookies for some reason).

BlankEclair added a comment.Aug 12 2024, 4:14 PM

I've made an example POC here:

T372209-poc.html1 KBDownload

Screen recording:

(I also accidentally said "We have not deleted your replacement table" when I meant just "table", oops)

Yaron_Koren closed this task as Resolved.Aug 14 2024, 3:56 PM

@BlankEclair - thank you for the patch, the explanation, and that very illustrative example! I just checked in your fix, here:

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723

sbassett moved this task from Incoming to Watching on the Security-Team board.Aug 15 2024, 3:05 PM
sbassett added a project: SecTeam-Processed.
sbassett mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).
BlankEclair added a comment.Sep 29 2024, 1:14 PM

Can this task be public now?

sbassett subscribed.Sep 30 2024, 4:08 PM
In T372209#10186054, @BlankEclair wrote:

Can this task be public now?

Can an ext:Cargo maintainer or user confirm that the CSRF issues have been fully-resolved via https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723?

BlankEclair added a comment.Sep 30 2024, 11:00 PM

Yes

2024-10-01_08-59_1.png (531×1 px, 129 KB)

2024-10-01_08-59.png (528×1 px, 118 KB)

sbassett triaged this task as Medium priority.Oct 1 2024, 3:29 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Mstyles renamed this task from Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection to CVE-2024-47846: Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection.Oct 5 2024, 12:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits