Page MenuHomePhabricator

Check User page lacks CSRF protection
Closed, ResolvedPublic

Description

FINDING ID: iSEC-WMF1214-6

DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks
CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a
web application on behalf of a user without their knowledge. When the server receives the requests,
it has no way of distinguishing the forged request from a request sent purposefully by the user. Any
user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple
look up requests. This will fill the check user log with untrustworthy data.

EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards
MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site
the attacker controls, in turn tricking their browser into sending the request that submits unnecessary
check user requests. Although the attacker cannot view the responses, a large number of unnecessary
requests can damage the reputation of the valid user.

SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request.


Patch:

  • 1.24:
  • 1.23:
  • 1.19:

Affected Versions: Since at least 67bed6768192fe537a9605f414ff039e61c978eb (1.6?)
Type: csrf
CVE: CVE-2015-2940

Event Timeline

csteipp created this task.Jan 5 2015, 9:20 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: Security, CheckUser.
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:20 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 13 2015, 8:32 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a subscriber: Anomie.Jan 14 2015, 4:44 PM

Code review +1

csteipp closed this task as Resolved.Jan 20 2015, 11:12 PM
csteipp claimed this task.

This is deployed and will be included in the 1.24.2 release

Hmmmm, is this live in anyway (and has it been for 'x' days, some point in the past week or so) on the cluster? The checkusers are having some relatively common session issues that we're talking about on their mailing list (they should be creating a phab task soon) and I'm trying to figure out what could have caused that in any recent changes...

Yes, this is live on the cluster. Looks like Chris committed it at 18:40 UTC on the 15th, deployment would've happened shortly afterwards.

hmmm, ok, this is definitely on the list of possible causes then for the sudden session issues. Doesn't look like someone else has open a phabricator task on that yet so I'll do so now and link this.

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Do we know what these users are doing in between opening the form and actually submitting it?

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

Do we know what these users are doing in between opening the form and actually submitting it?

nope, that's why I'm going to ask them to chime in.

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

Right, but it's not in the actual extension yet, just WMF's live clone, and isn't even public.

The "Session failure. Please try again." error they are getting was added in this patch and is not merged to master, so I don't think that task can be valid.

Well they're very clearly getting it :) so unless that warning is somewhere else in the extension too (also possible) then the patch is live ;)

Right, but it's not in the actual extension yet, just WMF's live clone, and isn't even public.

Aye, though I don't really know where else it would be able to be posted. As far as they are concerned it's live in the extension and they wouldn't really know to post it or look somewhere else. I'm happy to hide it or move to a different project if we think it's better though that's why I just mentioned the tasks here rather then discussing it. Right now I think the most appropriate project is the checkuser extension one (just like this is in that project).

This is an updated patch which includes the fix for {T87304}.

csteipp updated the task description. (Show Details)Mar 18 2015, 12:50 AM

- minor differences in messages

- minor differences in messages

- i18n format, use wgUser to keep with the style of the rest of the code

csteipp updated the task description. (Show Details)Mar 24 2015, 9:18 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:38 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

Change 201057 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201057

Kghbln added a subscriber: Kghbln.Mar 31 2015, 10:45 PM

Change 201058 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201058

Change 201058 merged by CSteipp:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201058

Change 201057 merged by CSteipp:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201057

Change 201228 had a related patch set uploaded (by CSteipp):
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201228

Change 201228 merged by jenkins-bot:
SECURITY: Add an edit token to Special:CheckUser

https://gerrit.wikimedia.org/r/201228

csteipp updated the task description. (Show Details)Apr 9 2015, 11:19 PM
csteipp added a project: Vuln-CSRF.
MarcoAurelio moved this task from Backlog to Closed on the CheckUser board.May 9 2016, 8:56 AM
Restricted Application added subscribers: Malyacko, JEumerus. · View Herald TranscriptMay 9 2016, 8:56 AM