Page MenuHomePhabricator
Create Task
Maniphest T326866

CVE-2024-40596: Special:Investigate can expose suppressed information for log events
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Description

Splitting from T316414. Not setting as a security ticket as the cat is out of the bag.

Log actions stored by CheckUser that are in the logging table (and thus can be suppressed) are not hidden as CheckUser does not store the log ID so that it can look up the revision deletion status. This means that checkusers who do not have the oversight permissions can access oversighted logs.

To do this CheckUser needs to store any associated log ID. This will be done in T324907. Once this has been achieved this can be fixed.

Details

SubjectRepoBranchLines /-
Add read new support to the TimelineServicemediawiki/extensions/CheckUsermaster 525 -87
Update TimelineRowFormatter to read new for event table migrationmediawiki/extensions/CheckUsermaster 260 -57
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedBUG REPORTDreamy_JazzT326866 CVE-2024-40596: Special:Investigate can expose suppressed information for log events
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Jan 12 2023, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2023, 9:07 PM
Dreamy_Jazz mentioned this in T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Jan 12 2023, 9:11 PM
Dreamy_Jazz added a project: Vuln-Infoleak.
Dreamy_Jazz added a project: Anti-Harassment.Jan 12 2023, 9:33 PM
Dreamy_Jazz added a subtask: T253796: Make CheckUser record the log_id of logged actions.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 17 2023, 5:14 PM
Dreamy_Jazz added a project: CheckUser.Jan 18 2023, 9:48 PM
Dreamy_Jazz moved this task from General / Unsorted to Investigate on the CheckUser board.
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 23 2023, 6:14 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
Dreamy_Jazz moved this task from Untriaged to CheckUser on the Anti-Harassment board.Jul 22 2023, 5:49 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
Tchanders mentioned this in T361296: CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.Apr 3 2024, 3:07 PM
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Apr 10 2024, 1:41 PM
TAdeleye_WMF edited projects, added Trust and Safety Product Team; removed Anti-Harassment.May 14 2024, 4:16 PM
gerritbot added a comment.May 21 2024, 3:18 PM

Change #1034100 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [WIP] Add read new support to Timeline mode

https://gerrit.wikimedia.org/r/1034100

gerritbot added a project: Patch-For-Review.May 21 2024, 3:18 PM
gerritbot added a comment.May 21 2024, 3:46 PM

Change #1034524 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Update TimelineRowFormatter to read new for event table migration

https://gerrit.wikimedia.org/r/1034524

Dreamy_Jazz claimed this task.May 21 2024, 5:51 PM
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)).
Dreamy_Jazz set the point value for this task to 2.
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.May 22 2024, 3:55 PM
gerritbot added a comment.May 24 2024, 1:18 PM

Change #1034524 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Update TimelineRowFormatter to read new for event table migration

https://gerrit.wikimedia.org/r/1034524

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.7; 2024-05-28).May 24 2024, 2:00 PM
gerritbot added a comment.May 24 2024, 2:58 PM

Change #1034100 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Add read new support to the TimelineService

https://gerrit.wikimedia.org/r/1034100

Maintenance_bot removed a project: Patch-For-Review.May 24 2024, 3:30 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.May 28 2024, 10:21 AM
Dreamy_Jazz mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).May 28 2024, 10:27 AM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.May 29 2024, 6:39 AM
dom_walden subscribed.

I can no longer see suppressed information for log events as a user without suppressor rights.

Test environment: local docker CheckUser 2.5 (ff30d8b) 12:09, 28 May 2024.

Dreamy_Jazz closed this task as Resolved.May 29 2024, 7:02 AM
mmartorana renamed this task from Special:Investigate can expose suppressed information for log events to CVE-2024-40596: Special:Investigate can expose suppressed information for log events.Jul 8 2024, 5:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits