Last modified: 2011-04-14 19:56:46 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T13757, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 11757 - Don't say whether user exists on incorrect login info, for wikis with no anonymous viewing
Don't say whether user exists on incorrect login info, for wikis with no anon...
Status: REOPENED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low minor (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 27751 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-25 01:43 UTC by Voyagerfan5761 / dgw
Modified: 2011-04-14 19:56 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Voyagerfan5761 / dgw 2007-10-25 01:43:49 UTC
By default, the messages displayed to a user when failing a login specify what was wrong with the provided credentials. If there is no such user, it says so; if the user is correct but the password is wrong, it says so. This poses a serious security risk, as hackers can use this information to determine what usernames exist and then try to brute-force the password.
Comment 1 River Tarnell 2007-10-25 01:44:40 UTC
but you can already see which accounts exist, on [[Special:Listusers]].
Comment 2 Voyagerfan5761 / dgw 2007-10-25 01:47:37 UTC
I won't reopen the bug myself, but Special:Listusers is not likely to be whitelisted on wikis with $wgGroupPermissions['*']['read'] = false, as mine has.
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-10-25 01:52:36 UTC
Possibly a reasonable request, but not really of major severity.  MediaWiki is not optimized for secrecy of this level, and isn't intended to be, so there are quite possibly other ways to get this info anyway.  I'll reopen, unless River or someone else still thinks this would be an unreasonable addition.
Comment 4 Voyagerfan5761 / dgw 2007-10-25 01:55:01 UTC
It's not entirely a huge deal, as the messages can be changed by the wiki's sysops, but having such revealing messages as the default seems rather strange. Thanks, Simetrical!
Comment 5 Roan Kattouw 2007-10-25 15:51:48 UTC
Please note that even if Special:Listusers is not viewable, api.php is still accessible for anyone (unless it's disabled entirely), so anons will still be able to get a list of users through api.php?action=query&list=allusers
Comment 6 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-10-25 16:35:45 UTC
(In reply to comment #5)
> Please note that even if Special:Listusers is not viewable, api.php is still
> accessible for anyone (unless it's disabled entirely), so anons will still be
> able to get a list of users through api.php?action=query&list=allusers

api.php should be checking read permissions when it's called.  If it's not, that's a fairly serious issue.
Comment 7 Roan Kattouw 2007-10-25 16:53:02 UTC
(In reply to comment #6)
> api.php should be checking read permissions when it's called.  If it's not,
> that's a fairly serious issue.
> 
It does, on real pages. Not on lists (currently).
Comment 8 Voyagerfan5761 / dgw 2007-10-25 18:44:06 UTC
(In reply to comment #7)
> It does, on real pages. Not on lists (currently).
> 
It looks like it's checking, to me. The API call action=query&list=allusers generates an error "Unrecognised value for parameter 'action'" if I don't log in. If I log in, it gives me an HTML pretty-print XML list.

This is a different issue, but I couldn't log in with the API using action=login&lgname=Daniel&lgpassword=mypass
Comment 9 Roan Kattouw 2007-10-25 20:29:34 UTC
(In reply to comment #8)
> It looks like it's checking, to me. The API call action=query&list=allusers
> generates an error "Unrecognised value for parameter 'action'" if I don't log
> in. If I log in, it gives me an HTML pretty-print XML list.
That's very weird. Are you absolutely sure you spelled everything correctly in the first request?
Comment 10 Voyagerfan5761 / dgw 2007-10-25 23:30:09 UTC
(In reply to comment #9)
> That's very weird. Are you absolutely sure you spelled everything correctly in
> the first request?
> 
Um, I'm pretty sure, but I'll try it again to confirm. I'm using the URL http://localhost/w/api.php?action=query&list=allusers (the wiki I'm testing is on my computer), and it gives me a list when I log in, and <error code="unknown_action" ...> if I'm logged out. Sure enough, it's confirmed. I'd try on a different wiki to cross-check, but I don't know of another wiki that's access-controlled.
Comment 11 Roan Kattouw 2007-10-28 21:13:53 UTC
(In reply to comment #10)
> Um, I'm pretty sure, but I'll try it again to confirm. I'm using the URL
> http://localhost/w/api.php?action=query&list=allusers (the wiki I'm testing is
> on my computer), and it gives me a list when I log in, and <error
> code="unknown_action" ...> if I'm logged out. Sure enough, it's confirmed. I'd
> try on a different wiki to cross-check, but I don't know of another wiki that's
> access-controlled.
> 

I've dug into this, and it turned out to be pretty complicated:

- Who doesn't have read permission, can't do any queries, thus action=query in unavailable (see api.php?action=help when you're logged out).
- This means ApiBase::extractRequestParams() fails for the main API module (invalid value for action).
- This in turn means the format parameter can't be read.
- Since we don't know which format the user wants, we give them a raw error message.

This also happens if you try action=bogus or format=bogus.
Comment 12 Voyagerfan5761 / dgw 2007-10-29 00:48:47 UTC
(In reply to comment #11)
> I've dug into this, and it turned out to be pretty complicated:
> 
> - Who doesn't have read permission, can't do any queries, thus action=query in
> unavailable (see api.php?action=help when you're logged out).
> - This means ApiBase::extractRequestParams() fails for the main API module
> (invalid value for action).
> - This in turn means the format parameter can't be read.
> - Since we don't know which format the user wants, we give them a raw error
> message.
> 
> This also happens if you try action=bogus or format=bogus.
> 

Is that an unintentional feature? Looks reasonably secure. Doesn't look like the API is an issue for this particular bug.
Comment 13 Roan Kattouw 2007-10-29 15:34:51 UTC
(In reply to comment #12)
> Is that an unintentional feature? Looks reasonably secure. Doesn't look like
> the API is an issue for this particular bug.
> 

No, that's intentional (judging by the comments). If you don't have read permission, the API acts like querying isn't even possible (the only options you get as an anon are action=help and action=login).
Comment 14 Platonides 2010-05-22 15:29:05 UTC
I added a note on 
http://www.mediawiki.org/w/index.php?title=Manual%3APreventing_access&action=historysubmit&diff=324659&oldid=320372 about editing [[MediaWiki:wrongpassword]] and [[MediaWiki:nosuchusershort]] to contain the same text.

However, it can still be determined by:
a) Using the api
b) Asking on a different language.
Comment 15 Alexandre Emsenhuber [IAlex] 2011-04-14 19:56:46 UTC
*** Bug 27751 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links