Page MenuHomePhabricator

User access roles are public
Closed, DeclinedPublic

Description

FINDING ID: iSEC-WMF1214-12

TARGETS: The following pages:
http://devwiki/codwiki/index.php/Special:ActiveUsers
http://devwiki/codwiki/index.php/Special:GlobalUsers
http://devwiki/codwiki/index.php/Special:CentralAuth

DESCRIPTION: The target links allow unauthenticated users to look up privileges associated with roles,
and the role associated with any existing user. The roles, such as `administrator'' or `steward'', disclose
the list of operations a specific user has permission to perform. An attacker can use this information
to enumerate users with higher privileges and create targeted attacks against them.

SHORT TERM SOLUTION: Do not show the user roles in the list of users to unauthenticated users while
displaying the list of users. Restrict the Global Account information to the privileged users only.

LONG TERM SOLUTION: Make a chart of what parts of user accounts are considered private or pro-
tected, and go through each way of accessing user data and make sure it conforms to specifications.
Perform regression checks to verify that there is no information disclosure which can be useful to the
attacker.

Related Objects

Event Timeline

csteipp created this task.Jan 5 2015, 9:21 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:21 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript
Anomie added a subscriber: Anomie.Jan 5 2015, 9:43 PM

I recommend WONTFIX here. This sort of openness is one of the things we stand for, and that is expected of us by our users.

Also, they missed links such as https://en.wikipedia.org/wiki/Special:ListUsers/sysop

Agreed. Identities of stewards and other privileged users is generally public information anyway (especially in the case of positions like stewards, who are community-elected). Thus hiding the user-group association would accomplish nothing.

As for the group-permission association, hiding that will also accomplish nothing as well. Jobs like being a sysop have public documentation on how they should be carrying out their job, and therein such documentation is what general permissions they have.

tl;dr - WONTFIX

csteipp closed this task as Declined.Jan 9 2015, 12:42 AM
csteipp claimed this task.

Agree with both other comments. I think this is an acceptable risk

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 9 2015, 12:42 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 1 2015, 11:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.