Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains
Closed, ResolvedPublic

Description

A malicious site can cause MediaWiki to output an Access-Control-Allow-Origin header allowing CORS requests for the malicious site by ensuring that the origin contains an allowed origin as a prefix.

For example, a request from http://en.wikipedia.org.evilsite.example/ would match a $wgCrossSiteAJAXdomains entry for "en.wikipedia.org".

Anomie created this task.Dec 8 2014, 3:43 PM
Anomie claimed this task.
Anomie moved this task to Needs Review/Feedback on the MediaWiki-Core-Team board.
Anomie changed Security from none to Software security bug.
Anomie added a subscriber: Anomie.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:43 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript
Anomie added a comment.Dec 8 2014, 3:45 PM

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie edited the task description. (Show Details)Dec 8 2014, 3:45 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 3:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Deployed to the cluser.

@Mglaser, this should get added to the next release.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:23 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

For reproduction / testing, you can add/set en.wikipedia.org in $wgCrossSiteAJAXdomains,

$wgCrossSiteAJAXdomains = array( 'en.wikipedia.org', 'en.wikibooks.org' );

Then run,

curl -ik -H 'Origin: http://en.wikipedia.org.somethingevil.com' 'https://localhost/wiki/api.php?origin=http://en.wikipedia.org.somethingevil.com&action=query&list=allpages&format=json' | grep "Access-Control-Allow-Origin:"

The allow-origin heading will be returned for the somethingevil.com domain before the patch, but not after.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:29 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:32 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
bd808 closed this task as "Resolved".Dec 8 2014, 9:51 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 9:51 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Dec 8 2014, 10:55 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 10:55 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp merged a task: Restricted Task.Dec 8 2014, 11:55 PM
csteipp added a subscriber: Tgr.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 11:55 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

The patch applies to REL1_24 and 1_23. With a slight modification (removal of a blank line) it also applies to REL1_22. It seems, though, that REL1_19 does not check the origin at all, so there will be no backport for 1_19.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 16 2014, 4:50 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

It seems, though, that REL1_19 does not check the origin at all, so there will be no backport for 1_19.

Yes, CORS support was added in 1.20.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 16 2014, 9:36 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Early access for Wikia and Gamepedia

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:13 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:54 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 17 2014, 10:17 PM
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.