Last modified: 2012-01-20 16:37:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T34276, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 32276 - Page titles on private wikis are exposed with index.php?curid=...
Page titles on private wikis are exposed with index.php?curid=...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: High major (vote)
: 1.18.0 release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-08 19:57 UTC by Alexandre Emsenhuber [IAlex]
Modified: 2012-01-20 16:37 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Patch to hide page title on private wikis when curid parameter is passed (722 bytes, patch)
2011-11-08 19:57 UTC, Alexandre Emsenhuber [IAlex]
Details
stop exposing title and bump MW to version 1.17.1 (1.98 KB, patch)
2011-11-10 23:37 UTC, Antoine "hashar" Musso (WMF)
Details
(trunk) hide Title in returnto when it is unknown to the user (1.90 KB, patch)
2011-11-23 14:13 UTC, Antoine "hashar" Musso (WMF)
Details
(trunk) hide Title in returnto and set wgTitle when it is unknown to the user (2.21 KB, patch)
2011-11-24 01:32 UTC, Antoine "hashar" Musso (WMF)
Details
(REL1_17) hides Title and wgTitle exposures. Bump MW to1.17.1 (2.23 KB, patch)
2011-11-24 01:36 UTC, Antoine "hashar" Musso (WMF)
Details
Updated patch for trunk (3.59 KB, patch)
2011-11-24 06:22 UTC, Tim Starling
Details

Description Alexandre Emsenhuber [IAlex] 2011-11-08 19:57:16 UTC
Created attachment 9384 [details]
Patch to hide page title on private wikis when curid parameter is passed

On private MediaWiki installations, page title are exposed to the user (e.g. in the URL in the tab) when curid parameter is passed to index.php. It allows people to make a list of pages in wiki by making bacth requests.
Comment 1 Brion Vibber 2011-11-08 20:04:25 UTC
oldid appears to allow a similar data-exposure attack; you'd have to iterate through more things but you could get a basic list of page titles along with the page & revision id numbers.
Comment 2 Antoine "hashar" Musso (WMF) 2011-11-09 14:31:21 UTC
Under review with IAlex.
Comment 3 Antoine "hashar" Musso (WMF) 2011-11-09 14:57:46 UTC
Created attachment 9399 [details]
unconditionally show a badtitle and fix returnto links pointing to badtitle

patch made with iAlex on IRC
Comment 4 Mark A. Hershberger 2011-11-10 17:51:02 UTC
Looks straightforward enough.  Pinging Sam to see if we can get this into 1.18.
Comment 5 Antoine "hashar" Musso (WMF) 2011-11-10 23:03:35 UTC
I am not sure what is the release process for security bugs :-(

At the very minimal it needs to be reviewed and deployed live first. Might need a backport in 1.17 too and immediate release of 1.17.X.
Comment 6 Antoine "hashar" Musso (WMF) 2011-11-10 23:37:37 UTC
Created attachment 9417 [details]
stop exposing title and bump MW to version 1.17.1

patch against REL1_17:
- does not update the returnto links
- bump wgVersion to 1.17.1
- update RELEASE-NOTES
Comment 7 Alexandre Emsenhuber [IAlex] 2011-11-11 05:32:53 UTC
The RELEASE-NOTES entry is in the wrong section, it should be in "Changes since 1.17.0".
Comment 8 Rob Lanphier 2011-11-22 01:43:01 UTC
Tim is working on a security release now around this bug.  We'll probably hold 1.18.0 final for this fix.
Comment 9 Tim Starling 2011-11-23 10:07:09 UTC
I applied the patch to trunk, and found that there were still two instances of the actual title in the page. I haven't tested the branches, but on the face of it, it seems to be insufficient.

Maybe we should just do a redirect.
Comment 10 Antoine "hashar" Musso (WMF) 2011-11-23 14:11:00 UTC
We can surely redirect the user to Special:Userlogin. The problem is that we will then loose all the various error messages logic which is handled in output page and just show a login page with no error message.
Comment 11 Antoine "hashar" Musso (WMF) 2011-11-23 14:13:15 UTC
Created attachment 9530 [details]
(trunk) hide Title in returnto when it is unknown to the user
Comment 12 Antoine "hashar" Musso (WMF) 2011-11-23 14:14:27 UTC
I could not find any instances of the real title despite Tim said so. I tried using  ?oldid=## and ?curid=## and the title never show up :-(
Comment 13 Tim Starling 2011-11-23 22:14:10 UTC
+			$this->context->setTitle( SpecialPage::getTitleFor( 'Badtitle' ) );

This only affects things that actually use RequestContext, you didn't set $wgTitle. I had an extension enabled which uses $wgTitle in a head script.
Comment 14 Antoine "hashar" Musso (WMF) 2011-11-24 01:32:43 UTC
Created attachment 9539 [details]
(trunk) hide Title in returnto and set wgTitle when it is unknown to the user

and now setting wgTitle
Comment 15 Antoine "hashar" Musso (WMF) 2011-11-24 01:36:33 UTC
Created attachment 9540 [details]
(REL1_17) hides Title and wgTitle exposures. Bump MW to1.17.1

Patch for trunk applied to REL1_17
Comment 16 Tim Starling 2011-11-24 06:22:22 UTC
Created attachment 9542 [details]
Updated patch for trunk

Changes from Hashar's patch:

* Rewrote the comments
* The logic and comment in OutputPage.php didn't really make sense given that $this->getTitle() now returns Special:Badtitle for a private request, it doesn't return a private page title. Instead, unconditionally get the page title from the title parameter in the request. 
* Use Title::newFromURL() when processing the title parameter, for consistency with Wiki.php.
* In SkinTemplate, fixed the returnto parameter in the login link, using similar code to OutputPage. It was pointing to Special:Badtitle. Still needs refactoring in a non-security commit, since the code is duplicated and $wgSecureLogin is (and was always) broken in OutputPage.
* If there was no title in the WebRequest, don't send returntoquery without returnto. This is more consistent since nothing else in the chain supports returntoquery without returnto (LoginForm::successfulLogin(), OutputPage::returnToMain()).
Comment 17 Sam Reed (reedy) 2011-11-28 23:40:33 UTC
Fixed in trunk with r104505, 1.17 in r104506, 1.18 in r104508 and 1.18wmf1 in r104509
Comment 18 Thorsten Glaser 2012-01-20 16:11:44 UTC
For the record: does NOT affect 1.15, and the backported patch (in Debian’s package) does acutal harm. In 1.15 there is no information disclosure wrt. whether a page exists in this case.
Comment 19 Alexandre Emsenhuber [IAlex] 2012-01-20 16:37:21 UTC
1.15 is definitively affected by this, but it is not supported anymore, so the patch wasn't backported by us. What you are reporting concerns Debian’s
package that we don't manage. Please contact the reponsible for that package, we can't do anything about this.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links