Page MenuHomePhabricator
Create Task
Maniphest T85860

User access roles are public
Closed, DeclinedPublic
Actions

Description

FINDING ID: iSEC-WMF1214-12

TARGETS: The following pages:
http://devwiki/codwiki/index.php/Special:ActiveUsers
http://devwiki/codwiki/index.php/Special:GlobalUsers
http://devwiki/codwiki/index.php/Special:CentralAuth

DESCRIPTION: The target links allow unauthenticated users to look up privileges associated with roles,
and the role associated with any existing user. The roles, such as `administrator'' or `steward'', disclose
the list of operations a specific user has permission to perform. An attacker can use this information
to enumerate users with higher privileges and create targeted attacks against them.

SHORT TERM SOLUTION: Do not show the user roles in the list of users to unauthenticated users while
displaying the list of users. Restrict the Global Account information to the privileged users only.

LONG TERM SOLUTION: Make a chart of what parts of user accounts are considered private or pro-
tected, and go through each way of accessing user data and make sure it conforms to specifications.
Perform regression checks to verify that there is no information disclosure which can be useful to the
attacker.

Related Objects
Search...

Event Timeline

csteipp created this task.Jan 5 2015, 9:21 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp changed Security from None to Software security bug.
csteipp subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:21 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Anomie subscribed.Jan 5 2015, 9:43 PM

I recommend WONTFIX here. This sort of openness is one of the things we stand for, and that is expected of us by our users.

Also, they missed links such as https://en.wikipedia.org/wiki/Special:ListUsers/sysop

Parent5446 subscribed.Jan 5 2015, 11:19 PM

Agreed. Identities of stewards and other privileged users is generally public information anyway (especially in the case of positions like stewards, who are community-elected). Thus hiding the user-group association would accomplish nothing.

As for the group-permission association, hiding that will also accomplish nothing as well. Jobs like being a sysop have public documentation on how they should be carrying out their job, and therein such documentation is what general permissions they have.

tl;dr - WONTFIX

csteipp closed this task as Declined.Jan 9 2015, 12:42 AM
csteipp claimed this task.

Agree with both other comments. I think this is an acceptable risk

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 9 2015, 12:42 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 1 2015, 11:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits