CVE-2025-23073: API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter
Closed, ResolvedPublicSecurity
Actions

Description

What is the problem?

If I global block a username with an autoblock against their IP, if I make an API request to action=query&list=globalblocks and set the bgtargets=<username>|<user's ip>, the response will include both the global block against the user and their respective autoblock.

You do have to guess the user's IP correctly.

I don't believe the global autoblock feature is switched on in any production environment.

Steps to reproduce problem

On a wiki with both GlobalBlocking and CheckUser installed
Find out what your IP is on a wiki (e.g. while logged out go to Special:MyTalk)
Login as a regular user and make an edit (so your IP is recorded by CheckUser)
Login as an admin who can create global blocks
Go to Special:GlobalBlock
Enter the user from step 3 as target and make sure Automatically globally block the last IP address used by this user, and any subsequent IP addresses they try to edit from, for a period of 1 day is checked (it is by default). Submit the block.
Go to Special:ApiSandbox#action=query&list=globalblocks&bgtargets=<username>|<user ip> (replace <username> and <user ip> with the IP from step 1 and the user from step 3). Submit.

Expected behaviour: The API only returns one block for the username.
Observed behaviour: The API returns two blocks.

Environment

Wiki(s): local docker GlobalBlocking – (6d5fb35) 16:55, 21 October 2024.

Details

Due Date: Oct 28 2024, 11:00 PM
Risk Rating: Medium
Author Affiliation: WMF Product

	Subject	Repo	Branch	Lines +/-
	globalblocks API: Hide autoblocks when target param has username and IP	mediawiki/extensions/GlobalBlocking	wmf/1.43.0-wmf.28	+8 -1
	globalblocks API: Hide autoblocks when target param has username and IP	mediawiki/extensions/GlobalBlocking	master	+8 -1

Customize query in gerrit

Related Objects

Mentioned In: T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4)
T376750: Hide the target of autoblocks in the 'globalblocks' API

Event Timeline

dom_walden created this task.Oct 22 2024, 2:51 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 22 2024, 2:51 PM

dom_walden added projects: GlobalBlocking, Trust and Safety Product Team, Temporary accounts (Blockers to minor pilot wiki deployment).Oct 22 2024, 2:53 PM

dom_walden added subscribers: Dreamy_Jazz, Djackson-ctr, STran and 4 others.

Yeah. It's not enabled anywhere on production, but is on the beta wikis.

Dreamy_Jazz added a project: MW-1.43-release.Oct 22 2024, 3:01 PM

Dreamy_Jazz removed a project: MW-1.43-release.

I think, given that this is not an issue that can be produced on production and is not a problem in any release version, I will upload the patch publicly.

In T377855#10250734, @Dreamy_Jazz wrote:

I think, given that this is not an issue that can be produced on production and is not a problem in any release version, I will upload the patch publicly.

Sounds fine to me.

Change #1082231 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/GlobalBlocking@master] globalblocks API: Hide autoblocks when target param has username and IP

https://gerrit.wikimedia.org/r/1082231

gerritbot added a project: Patch-For-Review.Oct 22 2024, 3:09 PM

Dreamy_Jazz moved this task from Priority Backlog to Needs review on the Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)) board.Oct 22 2024, 3:10 PM

Dreamy_Jazz updated the task description. (Show Details)

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15); removed Trust and Safety Product Sprint (Sprint Cello (Oct 7 - 18)).Oct 28 2024, 10:16 AM

kostajh set Due Date to Oct 27 2024, 11:00 PM.

kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Oct 28 2024, 10:40 AM

dom_walden mentioned this in T376750: Hide the target of autoblocks in the 'globalblocks' API.Oct 28 2024, 11:25 AM

Dreamy_Jazz changed Due Date from Oct 27 2024, 11:00 PM to Oct 28 2024, 11:00 PM.Oct 28 2024, 12:44 PM

kostajh moved this task from Ready to Needs QA on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Oct 28 2024, 4:40 PM

kostajh moved this task from In progress to Done / QA on the Temporary accounts (Blockers to minor pilot wiki deployment) board.

sbassett moved this task from Incoming to Watching on the Security-Team board.Oct 28 2024, 5:13 PM

sbassett added a project: SecTeam-Processed.

Change #1082231 merged by jenkins-bot:

[mediawiki/extensions/GlobalBlocking@master] globalblocks API: Hide autoblocks when target param has username and IP

https://gerrit.wikimedia.org/r/1082231

Change #1084748 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/GlobalBlocking@wmf/1.43.0-wmf.28] globalblocks API: Hide autoblocks when target param has username and IP

https://gerrit.wikimedia.org/r/1084748

Change #1084748 merged by jenkins-bot:

[mediawiki/extensions/GlobalBlocking@wmf/1.43.0-wmf.28] globalblocks API: Hide autoblocks when target param has username and IP

https://gerrit.wikimedia.org/r/1084748

I can no longer reproduce this bug.

I have tried querying with various combinations of parameters and checking that autoblocks do not appear when we include an IP either in the bgtargets or bgip parameters.

This can be made public now too.

sbassett triaged this task as Medium priority.Oct 31 2024, 4:38 PM

sbassett mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).

sbassett changed Author Affiliation from N/A to WMF Product.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Medium.

sbassett removed a project: Patch-For-Review.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

mmartorana renamed this task from API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter to CVE-2025-23073: API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter.Tue, Jan 14, 7:18 PM

@mmartorana, the CVE description appears to be wrong. This security issue was never present in any release version of MediaWiki, but it says it was a problem in all currently supported release versions. Can this be fixed?

In T377855#10460176, @Dreamy_Jazz wrote:

@mmartorana, the CVE description appears to be wrong. This security issue was never present in any release version of MediaWiki, but it says it was a problem in all currently supported release versions. Can this be fixed?

We should be able to amend that information, yes.

In T377855#10460176, @Dreamy_Jazz wrote:

@mmartorana, the CVE description appears to be wrong. This security issue was never present in any release version of MediaWiki, but it says it was a problem in all currently supported release versions. Can this be fixed?

Hi @Dreamy_Jazz - Thanks for noticing this, It should be fixed now: https://www.cve.org/cverecord?id=CVE-2025-23073

In T377855#10463012, @mmartorana wrote:

In T377855#10460176, @Dreamy_Jazz wrote:

@mmartorana, the CVE description appears to be wrong. This security issue was never present in any release version of MediaWiki, but it says it was a problem in all currently supported release versions. Can this be fixed?

Hi @Dreamy_Jazz - Thanks for noticing this, It should be fixed now: https://www.cve.org/cverecord?id=CVE-2025-23073

Thanks for the quick fix.

CVE-2025-23073: API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameterClosed, ResolvedPublicSecurityActions