CVE-2024-47913: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To

Authored By

	dom_walden
	Aug 21 2024, 9:37 AM

Description

What is the problem?

For the API action abusefiltercheckmatch, I can check a pattern like user_unnamed_ip="1.2.3.4" against an AbuseFilter log entry that I don't have permission to see and, if I guess the right IP, it will return true. This applies more widely than protected filters, as this can be used to inspect the log details for logs created by private filters.

Although it requires you to guess IPs, you can use things like like and >, < in order to narrow it down.

This has been a problem since before REL1_19, as the code in rMRELb30697e94cec for the abusefiltercheckmatch API looks like it has the same problem of not checking the right.

Steps to reproduce problem

For protected filters

Create an abuse filter with condition user_unnamed_ip.
While logged out, perform an action like making an edit.
Look in Special:AbuseLog to see the log for the action you made in step 2. Make a note of the log ID (which you will see in the URL of the links for details or examine).
Login as an admin who does not have the abusefilter-access-protected-vars right.
Go to Special:ApiSandbox#action=abusefiltercheckmatch&format=json&filter=user_unnamed_ip%3D%22%3Cip%3E%22.
Fill out <ip> with the IP of the user from step 2. Fill out the logid parameter with the log ID from step 3. Submit.

Expected behaviour: The response from the API should say the user does not have the right to use protected variables.
Observed behaviour: A response:

{
    "abusefiltercheckmatch": {
        "result": true
    }
}

For private filters

Create an abuse filter with the condition summary = 'should be private' and mark it as private
Trigger the private filter by making an edit with the edit summary should be private
Look in Special:AbuseLog to see the log for the action you made in step 2. Make a note of the log ID (which you will see in the URL of the links for details or examine).
Login as an admin who does not have the abusefilter-log-detail right but has the abusefilter-modify right
Go to Special:ApiSandbox#action=abusefiltercheckmatch&format=json.
Set the filter argument as summary = 'should be private'
Fill out the logid parameter with the log ID from step 3. Submit.

Expected behaviour: The response from the API should say the user does not have rights to see abusefilter log details
Observed behaviour: A response:

{
    "abusefiltercheckmatch": {
        "result": true
    }
}

Environment

Wiki(s): Abuse Filter – (f65ed2b) 07:22, 21 August 2024.

Details

Risk Rating: Medium
Author Affiliation: WMF Technology

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Use dependency injection over AbuseFilterServices in CheckMatch API	mediawiki/extensions/AbuseFilter	master	+8 -6
Fixup T372998 backport	mediawiki/extensions/AbuseFilter	REL1_39	+7 -6
Fixup T372998 backport	mediawiki/extensions/AbuseFilter	REL1_41	+5 -6
SECURITY: abusefiltercheckmatch: Check if user can see log details	mediawiki/extensions/AbuseFilter	master	+46 -0
Fixup T372998 backport	mediawiki/extensions/AbuseFilter	REL1_42	+4 -5
SECURITY: abusefiltercheckmatch: Check if user can see log details	mediawiki/extensions/AbuseFilter	REL1_39	+47 -0
SECURITY: abusefiltercheckmatch: Check if user can see log details	mediawiki/extensions/AbuseFilter	REL1_41	+47 -0
SECURITY: abusefiltercheckmatch: Check if user can see log details	mediawiki/extensions/AbuseFilter	REL1_42	+47 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
			Restricted Task
			Restricted Task
Resolved	Security	Dreamy_Jazz	T372998 CVE-2024-47913: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details

Event Timeline

dom_walden created this task.Aug 21 2024, 9:37 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2024, 9:37 AM

dom_walden added projects: AbuseFilter, Vuln-Infoleak.Aug 21 2024, 9:37 AM

dom_walden added a subscriber: STran.

sbassett added a project: Temporary accounts.Aug 21 2024, 3:03 PM

sbassett added a subscriber: Daimona.

There seems to be a wider problem of the logid parameter not being checked for user permissions. Using the CheckMatch API, everyone who can use the API can inspect any abuselog entry that they would normally be allowed to see. The only checks are on the visibility of the log entry itself (abuse_filter_log.afl_deleted) and of the associated revision. To reproduce:

Find any AbuseLog entry (the filter can be public, private, or with protected variables; it doesn't matter)
Remove the abusefilter-log-detail right from sysops
Test the abusefiltercheckmatch API using the logid from above

You're allowed to check arbitrary rules against the log entry, which means you can extrapolate all the variables.

I think the solution would be the same for both issues: apply proper permission checks as done in SpecialAbuseLog and ApiQueryAbuseLog. One thing worth mentioning is that the whole AbuseLog area wasn't improved that much in the refactoring that happened a few years ago, and there are no dedicated entities/services/methods for accessing or interacting with AbuseLog entries.

kostajh added a project: Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).Aug 22 2024, 7:17 AM

kostajh added subscribers: • mszabo, Dreamy_Jazz, • JayCano, Niharika.

kostajh edited projects, added Temporary accounts (Blockers to minor pilot wiki deployment); removed Temporary accounts.Aug 26 2024, 10:06 AM

• JayCano set the point value for this task to 2.Aug 26 2024, 10:23 AM

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Aug 26 2024, 4:21 PM

kostajh added a subscriber: Tchanders.Sep 3 2024, 11:04 AM

Dreamy_Jazz claimed this task.Sep 11 2024, 4:32 PM

Proposed patch:

T372998.patch5 KBDownload

kostajh moved this task from Backlog to In progress on the Temporary accounts (Blockers to minor pilot wiki deployment) board.Sep 16 2024, 8:42 AM

Dreamy_Jazz moved this task from Sprint Theremin (Aug 26 - Sept. 6) to Sprint Beatboxing (Sept 16-27) on the Trust and Safety Product Sprint board.Sep 16 2024, 10:09 AM

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)); removed Trust and Safety Product Sprint (Sprint Theremin (Aug 26 - Sept. 6)).

Dreamy_Jazz moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.

Reviewed the patch and it lgtm. Tested it against protected and private filters and confirmed both will disallow checking matches on filters the user shouldn't have access to.

sbassett added a project: Security-Team.Sep 17 2024, 2:59 PM

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.

I can deploy this.

In T372998#10153625, @Dreamy_Jazz wrote:

I can deploy this.

Thanks.

Patch deployed. I did encounter a problem where the patch file did not get added to /srv/patches due to the directory not existing. I fixed this and manually added the patch file, so should be all good.

Dreamy_Jazz moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Sep 17 2024, 3:29 PM

In T372998#10153770, @Dreamy_Jazz wrote:

Patch deployed. I did encounter a problem where the patch file did not get added to /srv/patches due to the directory not existing. I fixed this and manually added the patch file, so should be all good.

Er, that's probably not good, as I think there were still two deployed security patches (T355073, T366991) which hadn't been released yet... I guess we'll need to investigate that.

Oh wait, do you just mean the /srv/patches/1.43.0-wmf.23 hadn't been created?

To clarify, I mean /srv/patches/1.43.0-wmf.22/extensions/AbuseFilter and /srv/patches/1.43.0-wmf.23/extensions/AbuseFilter.

Ah, ok, yeah everything looks fine on deployment. Sorry for the confusion. We have, in the past, had directories/patches randomly disappear under /srv/patches.

sbassett added a parent task: Restricted Task.Sep 17 2024, 3:49 PM

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Sep 17 2024, 6:16 PM

Dreamy_Jazz added a subscriber: Djackson-ctr.Sep 23 2024, 1:32 PM

So... As Temporary accounts are basically new functionality in 1.43 (which isn't released), this doesn't actually need holding for the security release, nor does it need to be part of it...

In T372998#10175501, @Reedy wrote:

So... As Temporary accounts are basically new functionality in 1.43 (which isn't released), this doesn't actually need holding for the security release, nor does it need to be part of it...

No, because the issue applies more widely than just temporary account functionality, because of the following comment:

In T372998#10083117, @Daimona wrote:

Find any AbuseLog entry (the filter can be public, private, or with protected variables; it doesn't matter)

As such, the issue exists in 1.42 and before.

Can someone please make sure the task title and description are fully up to date then please?

It's hard to write/request a CVE without the full details, and similarly having an idea of how long this has been an issue for (even if "probably forever").

In T372998#10175521, @Reedy wrote:

Can someone please make sure the task title and description are fully up to date then please?

It's hard to write/request a CVE without the full details, and similarly having an idea of how long this has been an issue for (even if "probably forever").

Sure. I can do that. done

Dreamy_Jazz renamed this task from abusefiltercheckmatch can reveal IP of a temporary user to abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details.Sep 25 2024, 1:44 PM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz updated the task description. (Show Details)Sep 25 2024, 1:49 PM

Reedy renamed this task from abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details to CVE-2024-: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details.Sep 25 2024, 1:50 PM

Dreamy_Jazz updated the task description. (Show Details)Sep 25 2024, 1:52 PM

Dreamy_Jazz updated the task description. (Show Details)Sep 25 2024, 1:55 PM

Dreamy_Jazz updated the task description. (Show Details)

<3 for the updates!

In T372998#10138367, @Dreamy_Jazz wrote:

Proposed patch:

T372998.patch5 KBDownload

Some trivial poking around needed to get this patch onto MW-1.42-release

It then trivially backports to MW-1.41-release, it would obviously apply to MW-1.40-release but that's (recently) EOL (so probably worth calling out in the announcement), and it applies to MW-1.39-release

In 1.39, Title isn't namespaced, so from a cursory glance, that is probably the only difference between them... Everything else seems to be in AF, and has been around for a while.

T372998-REL1_42.patch4 KBDownload

T372998-REL1_39.patch5 KBDownload

T372998-REL1_41.patch4 KBDownload

Reedy added a subscriber: gerritbot.Sep 30 2024, 11:12 PM

Change #1076852 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@REL1_39] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076852

Change #1076853 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@REL1_41] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076853

Change #1076854 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@REL1_42] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076854

Change #1076855 had a related patch set uploaded (by Reedy; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076855

Reedy updated the task description. (Show Details)Sep 30 2024, 11:24 PM

In T372998#10175724, @Reedy wrote:

Everything else seems to be in AF, and has been around for a while.

Or not.

rEABFca23e9f06b53: Convert `af_hidden` into a bitmask

So all the patches will actually break things...

Change #1076854 merged by Reedy:

[mediawiki/extensions/AbuseFilter@REL1_42] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076854

Change #1076853 merged by Reedy:

[mediawiki/extensions/AbuseFilter@REL1_41] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076853

Change #1076852 merged by Reedy:

[mediawiki/extensions/AbuseFilter@REL1_39] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076852

Change #1076863 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/AbuseFilter@REL1_42] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076863

Change #1076865 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/AbuseFilter@REL1_41] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076865

Change #1076866 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/AbuseFilter@REL1_39] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076866

Change #1076863 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_42] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076863

Change #1076855 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] SECURITY: abusefiltercheckmatch: Check if user can see log details

https://gerrit.wikimedia.org/r/1076855

Change #1076865 merged by Reedy:

[mediawiki/extensions/AbuseFilter@REL1_41] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076865

Change #1076866 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_39] Fixup T372998 backport

https://gerrit.wikimedia.org/r/1076866

Reedy closed this task as Resolved.Oct 1 2024, 1:19 AM

Reedy renamed this task from CVE-2024-: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details to CVE-2024-47913: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details.Oct 4 2024, 9:53 PM

kostajh moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Beatboxing (Sept 16-27)) board.Oct 8 2024, 10:47 AM

sbassett triaged this task as Medium priority.Feb 24 2025, 9:44 PM

sbassett changed Author Affiliation from N/A to WMF Technology.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Medium.

Maintenance_bot removed a project: Patch-For-Review.Feb 24 2025, 10:33 PM

Change #1127079 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] Replace AbuseFilterServices with DI in CheckMatch API

https://gerrit.wikimedia.org/r/1127079

gerritbot added a project: Patch-For-Review.Mar 12 2025, 5:24 PM

Change #1127079 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Use dependency injection over AbuseFilterServices in CheckMatch API