Page MenuHomePhabricator
Create Task
Maniphest T361479

CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Apr 1 2024, 3:45 PM
Tags
Referenced Files
F44087433: T361479-3.patch
Apr 2 2024, 12:01 AM
F44087073: T361479-2.patch
Apr 1 2024, 11:58 PM
F44079872: 0001-SECURITY-Get-Actions-Hide-links-for-hidden-users.patch
Apr 1 2024, 10:40 PM
F44040606: image.png
Apr 1 2024, 3:49 PM
F44039822: image.png
Apr 1 2024, 3:45 PM
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
Tchanders
Zabe

Description

When using Special:CheckUser for a Get actions check and the current authority does not have the permission to see suppressed content, then a user who was blocked with hideuser enabled can see the username of the suppressed user by looking at the link URL provided for the logs link.

Examples:

Leak via a logout eventLeak via a block log entry
image.png (652×2 px, 300 KB)
image.png (618×2 px, 278 KB)
Steps to reproduce
  1. Add $wgCheckUserLogLogins = true; to LocalSettings.php if using a local wiki to test. Production has this set this value, so ignore if testing on production.
  2. Create a new account
  3. Logout of this account and log into account with the suppressor group
  4. Block the account created in step 2 with hideuser (Hide username from edits and lists) checked
  5. Log into an account without the suppressor group but with the checkuser group
  6. Run a check on the IP address used to create the account in step 2
  7. Find the entry with the username as (username removed) and the event as a logout event
  8. Hover over the logs link and notice that it shows the username that is hidden from the current user
  9. Find the entry for the block of the account created in step 2
  10. Hover over the logs link and notice that it shows the username that is hidden from the current user

Details

Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
Follow-up fix to 'Get edits' security fixmediawiki/extensions/CheckUserREL1_41+0 -1
SECURITY: Hide 'logs' link if page is a hidden user in 'Get edits'mediawiki/extensions/CheckUserREL1_39+60 -16
SECURITY: Hide 'logs' link if page is a hidden user in 'Get edits'mediawiki/extensions/CheckUserREL1_40+60 -16
SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'mediawiki/extensions/CheckUserREL1_41+89 -18
SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'mediawiki/extensions/CheckUsermaster+89 -19
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Apr 1 2024, 3:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 1 2024, 3:45 PM
Dreamy_Jazz changed Author Affiliation from N/A to WMF Technology Dept.Apr 1 2024, 3:46 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Vuln-Infoleak.
Dreamy_Jazz renamed this task from Special:CheckUser 'Get actions' page link can expose the username of a suppressed user for login and logout events to Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.Apr 1 2024, 3:49 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 1 2024, 10:30 PM
Zabe subscribed.Apr 1 2024, 10:40 PM

Very simple approach. Not sure if it actually does cover all cases. Also it might be to harsh for some cases.

0001-SECURITY-Get-Actions-Hide-links-for-hidden-users.patch2 KBDownload

Dreamy_Jazz added a comment.EditedApr 1 2024, 10:54 PM
In T361479#9677970, @Zabe wrote:

Very simple approach. Not sure if it actually does cover all cases. Also it might be to harsh for some cases.

0001-SECURITY-Get-Actions-Hide-links-for-hidden-users.patch2 KBDownload

-1. This isn't the optimal solution IMO. We still want to display the diff links so that the checkuser can look at the edit in Special:Diff. Furthermore, if the username used as the title for the event isn't the performer (for example a block log) then this wouldn't appropriately hide the username.

I will upload my suggested version shortly (as I've been working on one for the last few mins).

Dreamy_Jazz added a comment.EditedApr 1 2024, 11:58 PM

My proposed patch to fix this:

T361479-3.patch8 KBDownload

This (compared to the other patch) will:

  • Hide a username defined as the page for the logs link if the username isn't the performer of the action but it still hidden
  • Will also check if the username is hidden for the specific log event (by checking log_deleted)
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 2 2024, 9:07 AM
Dreamy_Jazz added a project: Patch-For-Review.
Dreamy_Jazz set the point value for this task to 2.
Dreamy_Jazz attached a referenced file: F44087433: T361479-3.patch. (Show Details)Apr 2 2024, 9:33 AM
Dreamy_Jazz claimed this task.Apr 2 2024, 10:43 AM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:53 PM
sbassett added a project: security-bug.Apr 2 2024, 6:59 PM
Tchanders subscribed.Apr 3 2024, 11:01 AM
In T361479#9678065, @Dreamy_Jazz wrote:

My proposed patch to fix this:

T361479-3.patch8 KBDownload

This (compared to the other patch) will:

  • Hide a username defined as the page for the logs link if the username isn't the performer of the action but it still hidden
  • Will also check if the username is hidden for the specific log event (by checking log_deleted)

Looks good: +2.

Dreamy_Jazz moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 3 2024, 1:01 PM

Deploying this now.

Dreamy_Jazz added a subscriber: gerritbot.Apr 3 2024, 6:15 PM

This should be deployed to production.

gerritbot added a comment.Apr 3 2024, 6:17 PM

Change #1016826 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'

https://gerrit.wikimedia.org/r/1016826

gerritbot added a comment.Apr 3 2024, 6:54 PM

Change #1016826 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'

https://gerrit.wikimedia.org/r/1016826

gerritbot added a comment.Apr 3 2024, 7:06 PM

Change #1016784 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'

https://gerrit.wikimedia.org/r/1016784

gerritbot added a comment.Apr 3 2024, 7:49 PM

Change #1016785 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'

https://gerrit.wikimedia.org/r/1016785

gerritbot added a comment.Apr 3 2024, 7:56 PM

Change #1016784 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide 'logs' link if page is a hidden user in 'Get actions'

https://gerrit.wikimedia.org/r/1016784

Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Apr 4 2024, 1:33 PM
mmartorana changed the task status from Open to In Progress.Apr 4 2024, 2:24 PM
mmartorana triaged this task as Low priority.
mmartorana removed projects: Patch-For-Review, Security-Team.Apr 4 2024, 2:27 PM
mmartorana added a project: SecTeam-Processed.
gerritbot added a comment.Apr 4 2024, 6:48 PM

Change #1017122 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] Follow-up fix to 'Get edits' security fix

https://gerrit.wikimedia.org/r/1017122

gerritbot added a project: Patch-For-Review.Apr 4 2024, 6:48 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 4 2024, 6:50 PM
gerritbot added a comment.Apr 4 2024, 6:53 PM

Change #1017127 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide 'logs' link if page is a hidden user in 'Get edits'

https://gerrit.wikimedia.org/r/1017127

gerritbot added a comment.Apr 4 2024, 7:19 PM

Change #1016785 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide 'logs' link if page is a hidden user in 'Get edits'

https://gerrit.wikimedia.org/r/1016785

gerritbot added a comment.Apr 4 2024, 7:23 PM

Change #1017127 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide 'logs' link if page is a hidden user in 'Get edits'

https://gerrit.wikimedia.org/r/1017127

Dreamy_Jazz added subscribers: dom_walden, Djackson-ctr, GMikesell-WMF.Apr 4 2024, 7:42 PM
SecurityPatchBot raised the priority of this task from Low to Unbreak Now!.Apr 9 2024, 12:00 AM
SecurityPatchBot added a parent task: T360158: 1.42.0-wmf.26 deployment blockers.

Patch 02-T361479.patch is currently failing to apply for the most recent code in the mainline branch of extensions/CheckUser. This is blocking MediaWiki release 1.42.0-wmf.26(T360158)

If the patch needs to be rebased

To unblock the release, a new version of the patch can be placed at the right location in the deployment server with the following Scap command:

REVISED_PATCH=<path_to_revised_patch>
scap update-patch --message-body 'Rebase to solve merge conflicts with mainline code' /srv/patches/1.42.0-wmf.26/extensions/CheckUser/02-T361479.patch "$REVISED_PATCH"

If the patch has been made public

To unblock the release, the patch can be removed for the right version from the deployment server with the following Scap command:

scap remove-patch --message-body 'Remove patch already made public' /srv/patches/1.42.0-wmf.26/extensions/CheckUser/02-T361479.patch

(Note that if patches for the version don't exist yet, they will be created and the patch you specified removed)

hashar subscribed.Apr 9 2024, 8:26 AM

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

Dreamy_Jazz lowered the priority of this task from Unbreak Now! to Low.Apr 9 2024, 12:00 PM
hashar removed a parent task: T360158: 1.42.0-wmf.26 deployment blockers.Apr 10 2024, 4:09 AM
gerritbot added a comment.Apr 10 2024, 1:04 PM

Change #1017122 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_41] Follow-up fix to 'Get edits' security fix

https://gerrit.wikimedia.org/r/1017122

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 10 2024, 1:26 PM
Dreamy_Jazz moved this task from General / Unsorted to CheckUser on the CheckUser board.Apr 12 2024, 10:19 AM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 15 2024, 9:52 AM

I can no longer see a logs link with the suppressed user's name.

Test environment: local docker CheckUser 2.5 (5f204f2) 07:27, 15 April 2024.

Dreamy_Jazz closed this task as Resolved.Apr 15 2024, 5:44 PM
mmartorana renamed this task from Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL to CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.Jul 8 2024, 5:33 PM
hashar unsubscribed.Jul 8 2024, 9:04 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits