Page MenuHomePhabricator
Create Task
Maniphest T397221

CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern
Closed, ResolvedPublicSecurity
Actions

Description

When using the AbuseFilter Special:AbuseFilter/test page, I can compare against the value of protected variables without creating a log entry. This allows me to work out the value of the variable by trial-and-error without logging that I viewed the value of the variable.

Steps to reproduce

  1. Setup ipoid locally
  2. Install the AbuseFilter and IPReputation extension on your local mediawiki environment
  3. Find an IP which your local ipoid knows about and simulate having that IP locally
  4. Make a few test edits either while logged out or using a temporary account
  5. Go to Special:AbuseFilter/test while logged in to an account with the checkuser and sysop groups
  6. In the Rules to test field, enter something like:
ip_reputation_client_count = 1
  1. Press the "Test" submit button at the bottom of the form

What happened
The Special page tells you which recent actions match against the filter conditions, such that you can know which actions have the client_count of 1 if they match the pattern. For example:

image.png (87×1 px, 33 KB)

What should have happened
The special page should have allowed this, but should have created a log entry indicating that the performer accessed the value of protected variables for the users in the results.

Acceptance criteria

  • The AbuseFilter Special:AbuseFilter/test page creates protected variable value access logs when the test pattern includes a protected variable and the RecentChange entry has the protected variable value defined (i.e. not null) - For example, this should create logs when using an MediaWiki-extensions-IPReputation variable using the steps above.

Details

Risk Rating
Low
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Update AbuseFilterViewTestBatch to log protected vars accessmediawiki/extensions/AbuseFiltermaster+108 -39
SECURITY: Update AbuseFilterViewTestBatch to log protected vars accessmediawiki/extensions/AbuseFilterREL1_44+108 -39
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Jun 17 2025, 3:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2025, 3:29 PM
Dreamy_Jazz renamed this task from AbuseFilter batch testing tools to not log when protected variables are in the test pattern to AbuseFilter batch testing tool to not log when protected variables are in the test pattern.Jun 17 2025, 3:31 PM
Dreamy_Jazz claimed this task.
Dreamy_Jazz added a project: AbuseFilter.
Dreamy_Jazz added projects: Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
Dreamy_Jazz added a parent task: T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter.Jun 17 2025, 3:41 PM
Dreamy_Jazz added a project: Patch-For-Review.Jun 18 2025, 10:20 AM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
Dreamy_Jazz added subscribers: Tchanders, hector.arroyo, STran and 2 others.

Proposed patch:

T397221.patch13 KBDownload

Dreamy_Jazz renamed this task from AbuseFilter batch testing tool to not log when protected variables are in the test pattern to AbuseFilter batch testing tool do not log when protected variables are in the test pattern.Jun 18 2025, 10:39 AM
Dreamy_Jazz added subscribers: dom_walden, Djackson-ctr.
kostajh added a comment.EditedJun 19 2025, 7:54 PM

(Removed comment, sorry, I thought this one had been deployed.)

STran added a comment.Jun 20 2025, 9:43 AM

This lgtm - tested it locally and confirmed that if I test a filter that uses protected variables, the hits are logged to the table as expected. Filters that don't do not.

Dreamy_Jazz added a comment.Jun 20 2025, 2:07 PM

Deploying this now.

Dreamy_Jazz removed a project: Patch-For-Review.Jun 20 2025, 2:07 PM
Dreamy_Jazz mentioned this in T389312: Write and send supplementary release announcement for extensions and skins with security patches (1.39.13/1.42.7/1.43.2).Jun 20 2025, 2:18 PM
Dreamy_Jazz added a comment.Jun 20 2025, 2:26 PM

Patch deployed.

sbassett subscribed.Jun 20 2025, 4:15 PM
In T397221#10934650, @Dreamy_Jazz wrote:

Patch deployed.

Thanks, and thanks for adding this to the appropriate tracking tasks!

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 20 2025, 4:22 PM
sbassett added a project: SecTeam-Processed.
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jun 20 2025, 6:19 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jun 27 2025, 10:22 AM

Calling Special:AbuseFilter/test with various abuse filter patterns, including those with protected variables, I checked that:

  • unauthorised users could not use patterns with protected variables
  • otherwise, any pattern which used a protected variable created an access log

A couple of things to note:

  • By default, recent changes that did not match the pattern are not returned. Nevertheless, access of those recent changes will still be logged. I think this makes sense: not matching a pattern tells you as much as matching it. But it might be confusing to users that a batch test which returns no results will still create access logs.
  • Access logs aren't made for recent changes whose protected variables are null. I didn't have a reliable way to determine this for every recent change, so this might affect the accuracy of the checks I performed above (i.e. I may have attributed a missing access log to protected variables being null when in fact they were not).
kostajh closed this task as Resolved.Jun 27 2025, 11:05 AM
Jly renamed this task from AbuseFilter batch testing tool do not log when protected variables are in the test pattern to CVE-2025-53483: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.Jun 30 2025, 7:23 PM
Jly renamed this task from CVE-2025-53483: AbuseFilter batch testing tool do not log when protected variables are in the test pattern to CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.Jun 30 2025, 7:26 PM
Jly added a subscriber: gerritbot.Jul 2 2025, 11:58 PM
gerritbot added a comment.Jul 7 2025, 2:26 PM

Change #1166844 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@master] SECURITY: Update AbuseFilterViewTestBatch to log protected vars access

https://gerrit.wikimedia.org/r/1166844

gerritbot added a project: Patch-For-Review.Jul 7 2025, 2:26 PM
gerritbot added a comment.Jul 7 2025, 2:59 PM

Change #1166853 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/AbuseFilter@REL1_44] SECURITY: Update AbuseFilterViewTestBatch to log protected vars access

https://gerrit.wikimedia.org/r/1166853

gerritbot added a comment.Jul 7 2025, 3:15 PM

Change #1166853 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_44] SECURITY: Update AbuseFilterViewTestBatch to log protected vars access

https://gerrit.wikimedia.org/r/1166853

gerritbot added a comment.Jul 7 2025, 3:24 PM

Change #1166844 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] SECURITY: Update AbuseFilterViewTestBatch to log protected vars access

https://gerrit.wikimedia.org/r/1166844

sbassett triaged this task as Low priority.Jul 7 2025, 5:34 PM
sbassett removed projects: Patch-For-Review, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett added a project: Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).
Titore subscribed.Oct 3 2025, 8:10 AM

I was initially confused and thought of a bug when I noticed that according to the logs I had viewed protected variables of experienced users, bots, or even sysops that never even triggered an abusefilter, or did it years ago. Eventually, I was able to reproduce it by using Special:AbuseFilter/test to test filter 785 against recent changes.

As I understand it, logs should only be generated when an entry has not null protected variables. I thought IPReputation variables such as ip_reputation_ipoid_known were only available for logged out users or during account creation.

Is this the intended behavior, or should I file a new bug report? You can see what I mean by inspecting the log on itwiki.

Dreamy_Jazz added a comment.Oct 3 2025, 10:00 AM
In T397221#11239713, @Titore wrote:

I was initially confused and thought of a bug when I noticed that according to the logs I had viewed protected variables of experienced users, bots, or even sysops that never even triggered an abusefilter, or did it years ago. Eventually, I was able to reproduce it by using Special:AbuseFilter/test to test filter 785 against recent changes.

As I understand it, logs should only be generated when an entry has not null protected variables. I thought IPReputation variables such as ip_reputation_ipoid_known were only available for logged out users or during account creation.

Is this the intended behavior, or should I file a new bug report? You can see what I mean by inspecting the log on itwiki.

When was this log created? We have made other changes to the logging code, so it's possible that this has already been fixed.

Additionally, it would be useful to link the specific log and log entry created when viewing it.

Dreamy_Jazz added a comment.Oct 3 2025, 10:06 AM
In T397221#11239713, @Titore wrote:

I was initially confused and thought of a bug when I noticed that according to the logs I had viewed protected variables of experienced users, bots, or even sysops that never even triggered an abusefilter, or did it years ago. Eventually, I was able to reproduce it by using Special:AbuseFilter/test to test filter 785 against recent changes.

As I understand it, logs should only be generated when an entry has not null protected variables. I thought IPReputation variables such as ip_reputation_ipoid_known were only available for logged out users or during account creation.

Is this the intended behavior, or should I file a new bug report? You can see what I mean by inspecting the log on itwiki.

I have found a specific example now. I was confused as to what you meant by "logs" because this task is specific to logging to Special:Log when someone looks at a Special:AbuseLog entry.

We specifically do set the MediaWiki-extensions-IPReputation AbuseFilter variables on account creation of named accounts when those accounts are created by themselves (i.e. not when another named user creates an account for someone else). This is an intended behaviour, so there is no need to file a bug report. https://www.mediawiki.org/wiki/Extension:IPReputation/AbuseFilter_variables#Where_can_I_use_these_variables contains more detail on when these variables are available for use.

Titore added a comment.Oct 3 2025, 10:28 AM
In T397221#11240375, @Dreamy_Jazz wrote:
In T397221#11239713, @Titore wrote:

I was initially confused and thought of a bug when I noticed that according to the logs I had viewed protected variables of experienced users, bots, or even sysops that never even triggered an abusefilter, or did it years ago. Eventually, I was able to reproduce it by using Special:AbuseFilter/test to test filter 785 against recent changes.

As I understand it, logs should only be generated when an entry has not null protected variables. I thought IPReputation variables such as ip_reputation_ipoid_known were only available for logged out users or during account creation.

Is this the intended behavior, or should I file a new bug report? You can see what I mean by inspecting the log on itwiki.

When was this log created? We have made other changes to the logging code, so it's possible that this has already been fixed.

Additionally, it would be useful to link the specific log and log entry created when viewing it.

A few hours ago: to reproduce it I used /test with filter 785 against recent changes and 50+ entries were created for experienced registered users (not temporary accounts nor account creations). I'm talking about "Abuse filter protected variables log".

Dreamy_Jazz added a comment.Oct 3 2025, 10:30 AM
In T397221#11240444, @Titore wrote:
In T397221#11240375, @Dreamy_Jazz wrote:
In T397221#11239713, @Titore wrote:

I was initially confused and thought of a bug when I noticed that according to the logs I had viewed protected variables of experienced users, bots, or even sysops that never even triggered an abusefilter, or did it years ago. Eventually, I was able to reproduce it by using Special:AbuseFilter/test to test filter 785 against recent changes.

As I understand it, logs should only be generated when an entry has not null protected variables. I thought IPReputation variables such as ip_reputation_ipoid_known were only available for logged out users or during account creation.

Is this the intended behavior, or should I file a new bug report? You can see what I mean by inspecting the log on itwiki.

When was this log created? We have made other changes to the logging code, so it's possible that this has already been fixed.

Additionally, it would be useful to link the specific log and log entry created when viewing it.

A few hours ago: to reproduce it I used /test with filter 785 against recent changes and 50+ entries were created for experienced registered users (not temporary accounts nor account creations). I'm talking about "Abuse filter protected variables log".

Then I would recommend filing a new bug. I am not sure when we (the Product Safety and Integrity team) will have the time to look at this

Titore mentioned this in T406327: "Abuse filter protected variables log" reports spurious access to unavailable variables.Oct 3 2025, 12:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits