Page MenuHomePhabricator
Create Task
Maniphest T72009

User's password in response html
Closed, ResolvedPublic
Actions

Description

Sherif reported that the mobile link seems to be appending POST fields when generating the url, so after submitting a username/password, the password is in the text of the resulting page.

curl -i -s -k -X 'POST' \

-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0' -H 'Referer: http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page' -H 'Content-Type: application/x-www-form-urlencoded' \
-b 'GeoIP=GB::51.5000:-0.1300:v4; centralnotice_bucket=1-4.2; uls-previous-languages=%5B%22en%22%5D; mediaWiki.user.sessionId=YI03bpxPjata58Fp5ZwwvIEB1r9p3PZs; enwikiSession=414940d3638c0d8c1bc3899d56b23f1a' \
--data-binary $'wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c' \
'http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page'

Version: unspecified
Severity: normal

Details

Reference
bz70009

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:42 AM
bzimport added a project: MobileFrontend-General-or-Unknown.
bzimport set Reference to bz70009.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Aug 25 2014, 10:58 PM
bzimport added a comment.Aug 26 2014, 12:10 AM

cherifmansour wrote:

The example above will result in the following link on line 224 of the response:

http://en.m.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c&action=submitlogin&type=login&returnto=Main+Page

dr0ptp4kt added a comment.Sep 30 2014, 8:03 PM

Is any further action required on this? Is this Zero-related, or is it something for MobileFrontend? If it's MobileFrontend, could we get Max and Kaldari on this bug?

bzimport added a comment.Oct 1 2014, 8:11 AM

cherifmansour wrote:

I'll defer to Chris as he knows the code base way better than I do as to where the issue resides

csteipp added a comment.Oct 3 2014, 5:18 PM

For some reason I thought this was zero, but yeah, it looks more like mobile frontend. Max, can you take a look at this?

MaxSem added a comment.Oct 6 2014, 8:20 PM

Created attachment 16681
Proposed fix

Proposed fix. Will commit tests separately because they would require FauxRequest changes in core to test reasonably.

Attached:

70009.patch536 BDownload

kaldari added a comment.Oct 6 2014, 8:36 PM

The proposed fix looks good to me.

csteipp added a comment.Oct 6 2014, 10:25 PM

LGTM, +2

Jdlrobson added a comment.Oct 14 2014, 6:04 PM

Good catch. That's nasty.

Ricordisamoa subscribed.Dec 17 2014, 9:04 PM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL