Page MenuHomePhabricator
Create Task
Maniphest T77028

Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains
Closed, ResolvedPublic
Actions

Description

A malicious site can cause MediaWiki to output an Access-Control-Allow-Origin header allowing CORS requests for the malicious site by ensuring that the origin contains an allowed origin as a prefix.

For example, a request from http://en.wikipedia.org.evilsite.example/ would match a $wgCrossSiteAJAXdomains entry for "en.wikipedia.org".

Details

SubjectRepoBranchLines +/-
SECURITY: Fix CORS origin matching in the APImediawiki/coreREL1_22+1 -1
SECURITY: Fix CORS origin matching in the APImediawiki/coreREL1_23+1 -1
SECURITY: Fix CORS origin matching in the APImediawiki/coreREL1_24+1 -1
SECURITY: Fix CORS origin matching in the APImediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Anomie created this task.Dec 8 2014, 3:43 PM
Anomie claimed this task.
Anomie raised the priority of this task from to Needs Triage.
Anomie updated the task description. (Show Details)
Anomie added projects: MediaWiki-Core-Team, MediaWiki-Action-API, Patch-For-Review.
Anomie moved this task to Needs Review/Feedback on the MediaWiki-Core-Team board.
Anomie changed Security from none to Software security bug.
Anomie subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:43 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Anomie added a comment.Dec 8 2014, 3:45 PM

0001-SECURITY-Fix-CORS-origin-matching-in-the-API.patch728 BDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie updated the task description. (Show Details)Dec 8 2014, 3:45 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added subscribers: Mglaser, csteipp.Dec 8 2014, 7:23 PM

Deployed to the cluser.

@Mglaser, this should get added to the next release.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:23 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a comment.Dec 8 2014, 7:29 PM

For reproduction / testing, you can add/set en.wikipedia.org in $wgCrossSiteAJAXdomains,

$wgCrossSiteAJAXdomains = array( 'en.wikipedia.org', 'en.wikibooks.org' );

Then run,

curl -ik -H 'Origin: http://en.wikipedia.org.somethingevil.com' 'https://localhost/wiki/api.php?origin=http://en.wikipedia.org.somethingevil.com&action=query&list=allpages&format=json' | grep "Access-Control-Allow-Origin:"

The allow-origin heading will be returned for the somethingevil.com domain before the patch, but not after.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:29 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp moved this task from Needs Review/Feedback to Done on the MediaWiki-Core-Team board.Dec 8 2014, 7:32 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:32 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
bd808 closed this task as Resolved.Dec 8 2014, 9:51 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 9:51 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Dec 8 2014, 10:55 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 10:55 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp merged a task: Restricted Task.Dec 8 2014, 11:55 PM
csteipp added a subscriber: Tgr.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 11:55 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser added a comment.Dec 16 2014, 4:50 PM

The patch applies to REL1_24 and 1_23. With a slight modification (removal of a blank line) it also applies to REL1_22. It seems, though, that REL1_19 does not check the origin at all, so there will be no backport for 1_19.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 16 2014, 4:50 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Dec 16 2014, 9:36 PM
In T77028#850877, @Mglaser wrote:

It seems, though, that REL1_19 does not check the origin at all, so there will be no backport for 1_19.

Yes, CORS support was added in 1.20.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 16 2014, 9:36 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser added subscribers: Grunny, ProgramCeltic.Dec 17 2014, 10:13 AM

Early access for Wikia and Gamepedia

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:13 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMW5c352eaf09e6: SECURITY: Fix CORS origin matching in the API.Dec 17 2014, 6:54 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMWdecb9a319832: SECURITY: Fix CORS origin matching in the API.Dec 17 2014, 6:54 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMWa1243a096678: SECURITY: Fix CORS origin matching in the API.Dec 17 2014, 6:54 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMW4712c3fe51bb: SECURITY: Fix CORS origin matching in the API.Dec 17 2014, 6:54 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 17 2014, 10:17 PM
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits