Page MenuHomePhabricator

Scribunto allows cross-origin leakage of data from a wiki through timing
Closed, ResolvedPublic

Description

demonstration

Scribunto modules are capable of branching based on the contents of arbitrary wiki pages and even transcludable special pages. However, when combined with the addition of a malicious module to the Module namespace, OR when all of the following circumstances apply (making that unnecessary):

  • The TemplateSandbox extension is installed.
  • The attacker knows the name and contents of an existing module.
  • The attacker knows the name of at least one page that uses that module.

It is possible for an attacker's site, while open in a user's browser, to extract a small amount of data through timing. For example:

  • Via TemplateSandbox, the attacker provides a malicious Scribunto module to be used instead of one in the Module namespace. This can be done by submitting a form into an iframe.
  • The module preprocesses {{Special:Contributions/...}} then unstrips it to get the HTML (including any rollback tokens).
  • The module delays based on the value of a bit in the rollback token, possibly with the help of os.clock().
  • The attacker's site measures how long it takes for the page to finish loading, which depends on the bit's value.

A demonstration is attached that steals a rollback token from enwiki in about three minutes. Of course, you need the "rollback" right there for it to work, and you may need to use Firefox. Alternatively, you can change it to run against a test wiki that has $wgSessionsInObjectCache = true and the pages Module:Bananas and Module:Bananas/doc (export from enwiki).

Two ways to make this harder to exploit:

  • To prevent access to tokens, do not allow Scribunto modules to unstrip special page HTML.
  • To make it harder to get malicious modules executed, do not allow TemplateSandbox to function without an edit token.

Version: unspecified
Severity: normal

Attached:

Details

Reference
bz71167

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:48 AM
bzimport set Reference to bz71167.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:48 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript

Gerrit change 171290 should fix this issue by preventing unstripping of special page HTML, in addition to the public bug it acknowledges fixing.

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptNov 26 2014, 12:19 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptNov 26 2014, 3:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Jackmcbarn just +2ed https://gerrit.wikimedia.org/r/#/c/171290, which should fix this bug once it's backported to the release versions.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 1 2014, 9:44 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Legoktm claimed this task.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 22 2014, 10:57 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 22 2014, 10:58 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 22 2014, 10:58 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Legoktm changed Security from Software security bug to None.