Page MenuHomePhabricator
Create Task
Maniphest T85858

Check User page lacks CSRF protection
Closed, ResolvedPublic
Actions

Assigned To
csteipp
Authored By
csteipp
Jan 5 2015, 9:20 PM
Tags
Referenced Files
F103757: T85858_CheckUser-REL1_24.patch
Mar 24 2015, 9:17 PM
F103759: T85858_CheckUser-REL1_19.patch
Mar 24 2015, 9:17 PM
F103758: T85858_CheckUser-REL1_23.patch
Mar 24 2015, 9:17 PM
F31093: 0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch
Jan 22 2015, 5:52 AM
F28504: 0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch
Jan 13 2015, 8:32 PM
Subscribers
Aklapper
csteipp
gerritbot
Grunny
Jalexander
JEumerus
Kghbln
View All 11 Subscribers

Description

FINDING ID: iSEC-WMF1214-6

DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks
CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a
web application on behalf of a user without their knowledge. When the server receives the requests,
it has no way of distinguishing the forged request from a request sent purposefully by the user. Any
user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple
look up requests. This will fill the check user log with untrustworthy data.

EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards
MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site
the attacker controls, in turn tricking their browser into sending the request that submits unnecessary
check user requests. Although the attacker cannot view the responses, a large number of unnecessary
requests can damage the reputation of the valid user.

SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request.

Patch:

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch3 KBDownload

  • 1.24:
    T85858_CheckUser-REL1_24.patch3 KBDownload
  • 1.23:
    T85858_CheckUser-REL1_23.patch3 KBDownload
  • 1.19:
    T85858_CheckUser-REL1_19.patch2 KBDownload

Affected Versions: Since at least 67bed6768192fe537a9605f414ff039e61c978eb (1.6?)
Type: csrf
CVE: CVE-2015-2940

Details

SubjectRepoBranchLines +/-
SECURITY: Add an edit token to Special:CheckUsermediawiki/extensions/CheckUsermaster+7 -1
SECURITY: Add an edit token to Special:CheckUsermediawiki/extensions/CheckUserREL1_23+9 -3
SECURITY: Add an edit token to Special:CheckUsermediawiki/extensions/CheckUserREL1_24+7 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Jan 5 2015, 9:20 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: acl*security, CheckUser.
csteipp changed Security from None to Software security bug.
csteipp subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:20 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Legoktm subscribed.Jan 13 2015, 8:32 PM

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch3 KBDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 13 2015, 8:32 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie subscribed.Jan 14 2015, 4:44 PM
In T85858#974469, @Legoktm wrote:

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch3 KBDownload

Code review +1

csteipp added a parent task: T87275: MediaWiki Security release 1.24.2.Jan 20 2015, 11:08 PM
csteipp closed this task as Resolved.Jan 20 2015, 11:12 PM
csteipp claimed this task.

This is deployed and will be included in the 1.24.2 release

Jalexander subscribed.Jan 21 2015, 12:06 AM

Hmmmm, is this live in anyway (and has it been for 'x' days, some point in the past week or so) on the cluster? The checkusers are having some relatively common session issues that we're talking about on their mailing list (they should be creating a phab task soon) and I'm trying to figure out what could have caused that in any recent changes...

Krenair subscribed.Jan 21 2015, 12:17 AM

Yes, this is live on the cluster. Looks like Chris committed it at 18:40 UTC on the 15th, deployment would've happened shortly afterwards.

Jalexander added a comment.Jan 21 2015, 5:59 AM

hmmm, ok, this is definitely on the list of possible causes then for the sudden session issues. Doesn't look like someone else has open a phabricator task on that yet so I'll do so now and link this.

Krenair added a comment.Jan 21 2015, 10:58 AM

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Krenair added a comment.Jan 21 2015, 11:03 AM

Do we know what these users are doing in between opening the form and actually submitting it?

Jalexander added a comment.Jan 21 2015, 11:05 AM
In T85858#988693, @Krenair wrote:

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

In T85858#988694, @Krenair wrote:

Do we know what these users are doing in between opening the form and actually submitting it?

nope, that's why I'm going to ask them to chime in.

Krenair added a comment.Jan 21 2015, 11:07 AM
In T85858#988699, @Jalexander wrote:
In T85858#988693, @Krenair wrote:

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

Right, but it's not in the actual extension yet, just WMF's live clone, and isn't even public.

Jalexander added a comment.Jan 21 2015, 11:12 AM
In T85858#988700, @Krenair wrote:
In T85858#988699, @Jalexander wrote:
In T85858#988693, @Krenair wrote:

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

Right, but it's not in the actual extension yet, just WMF's live clone, and isn't even public.

Aye, though I don't really know where else it would be able to be posted. As far as they are concerned it's live in the extension and they wouldn't really know to post it or look somewhere else. I'm happy to hide it or move to a different project if we think it's better though that's why I just mentioned the tasks here rather then discussing it. Right now I think the most appropriate project is the checkuser extension one (just like this is in that project).

Legoktm added a comment.Jan 22 2015, 5:52 AM

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch3 KBDownload

This is an updated patch which includes the fix for {T87304}.

csteipp updated the task description. (Show Details)Mar 18 2015, 12:50 AM
csteipp added a comment.Mar 24 2015, 9:17 PM

T85858_CheckUser-REL1_24.patch3 KBDownload
- minor differences in messages

T85858_CheckUser-REL1_23.patch3 KBDownload
- minor differences in messages

T85858_CheckUser-REL1_19.patch2 KBDownload
- i18n format, use wgUser to keep with the style of the rest of the code

csteipp updated the task description. (Show Details)Mar 24 2015, 9:18 PM
csteipp added subscribers: Grunny, ProgramCeltic.Mar 30 2015, 8:02 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:38 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
gerritbot subscribed.Mar 31 2015, 10:44 PM

Change 201057 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201057

gerritbot added a project: Patch-For-Review.Mar 31 2015, 10:44 PM
Kghbln subscribed.Mar 31 2015, 10:45 PM
gerritbot added a comment.Mar 31 2015, 10:45 PM

Change 201058 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201058

gerritbot added a comment.Mar 31 2015, 10:46 PM

Change 201058 merged by CSteipp:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201058

csteipp mentioned this in rECHU8d9659d3ada8: SECURITY: Add an edit token to Special:CheckUser.Mar 31 2015, 10:52 PM
gerritbot added a comment.Mar 31 2015, 10:53 PM

Change 201057 merged by CSteipp:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201057

csteipp mentioned this in rECHU496547b513b8: SECURITY: Add an edit token to Special:CheckUser.Mar 31 2015, 10:53 PM
csteipp mentioned this in rMEXT460d7ffa12f9: Updated mediawiki/extensions Project: mediawiki/extensions/CheckUser….
gerritbot added a comment.Apr 1 2015, 5:04 PM

Change 201228 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201228

gerritbot added a comment.Apr 1 2015, 5:18 PM

Change 201228 merged by jenkins-bot:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201228

Legoktm mentioned this in rMEXT54177ce26ff6: Updated mediawiki/extensions Project: mediawiki/extensions/CheckUser….Apr 1 2015, 5:18 PM
csteipp mentioned this in rECHUca95696d9678: SECURITY: Add an edit token to Special:CheckUser.Apr 1 2015, 5:20 PM
csteipp updated the task description. (Show Details)Apr 9 2015, 11:19 PM
csteipp added a project: Vuln-CSRF.
MarcoAurelio moved this task from General / Unsorted to Done on the CheckUser board.May 9 2016, 8:56 AM
Restricted Application added subscribers: Malyacko, JEumerus. · View Herald TranscriptMay 9 2016, 8:56 AM
MarcoAurelio removed a project: Patch-For-Review.May 9 2016, 9:05 AM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL