Page MenuHomePhabricator
Create Task
Maniphest T34616

action=ajax bypasses read permissions
Closed, ResolvedPublic
Actions

Description

action=ajax requests are dispatched to the relevant function without any read permission checks being done. This can lead to data leakage on private wikis.

A quick survey of the many extensions which use action=ajax suggests that few, if any, have anticipated this security issue. This includes the popular CategoryTree extension, which can be used to obtain lists of page titles. The ExtTab and InlineEditor extensions appear to allow disclosure of the full text of the page.

In the core, most former action=ajax uses have been migrated to api.php, however SpecialUpload::ajaxGetExistsWarning still remains, which allows confirmation of the existence of a given file upload, given the name. A dictionary attack could lead to significant data leakage. Previous versions of MediaWiki may have more severe vulnerabilities.

I suggest denying all access to action=ajax for users without read permissions. If there are any extensions that really need to provide data from a private wiki to logged-out users, api.php can be used instead. It provides an opt-in model for bypassing read permissions.

Version: unspecified
Severity: normal

Details

Reference
bz32616
TitleReferenceAuthorSource BranchDest Branch
Adds Shell Script Security Checks via Shellcheck toolrepos/security/gitlab-ci-security-templates!33mmartoranaShell-script-templatemain
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:08 AM
bzimport added projects: MW-1.18.0-release, MediaWiki-General.
bzimport set Reference to bz32616.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Nov 23 2011, 11:25 PM
tstarling added a comment.Nov 24 2011, 3:25 AM

Created attachment 9541
Proposed patch

Attached:

ajax-read-restricton.patch795 BDownload

brion added a comment.Nov 24 2011, 4:30 PM

Is the "!in_array( 'read', User::getGroupPermissions( array( '*' ) )" a necessary logical component or an optimization to skip over the User::isAllowed() call in the common case of non-restricted sites?

Might want to indicate if it's a shortcut in a comment so it doesn't get removed by some clever refactorer later. :)

tstarling added a comment.Nov 24 2011, 10:53 PM

The code was copied from ApiMain. It was introduced there in r62544 based on code from ApiOpenSearch r62540. It was described as an optimisation in the commit message on r62540.

hashar added a comment.Nov 26 2011, 5:53 PM

The patch has been reviewed and sent to Sam Reed to prepare the new release.
I think we agreed to release the new version on monday or tuesday because of thanksgiving in the US.

Reedy added a comment.Nov 28 2011, 11:40 PM

Fixed in trunk with r104505, 1.17 in r104506, 1.18 in r104508 and 1.18wmf1 in r104509

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL