Last modified: 2013-11-15 02:45:14 UTC
Created attachment 13315 [details] Screenshot of RC showing OS'ed IP Oversighted IP's are still visible on Meta for non-oversighters. This happen when we enable "Group changes by page in recent changes and watchlist" on preferences [1]. The IP disappear when it is disabled. Recently, Meta started to use CleanChanges and that may be related with this problem [2] as I can't recall this issue previously. [1] - https://meta.wikimedia.org/w/index.php?title=Special:Preferences&success=1#mw-prefsection-rc [2] - https://www.mediawiki.org/wiki/Extension:CleanChanges
Hi Teles, I'm working on reproducing this. Can you walk me through the process that you used to suppress the IP address? I'm correctly not seeing the IP displayed with I use "Hide editor's username/IP address" under Special:RevisionDelete. But are you actually using the oversight extension for this?
Ah, I found it. The issue does only show up after installing CleanChanges, so yes, that extension is the problem. I'm on vacation for a couple of days. Adding Niklas as the extension owner. I would recommend removing the extension if this is a problem, and you need a solution before next week.
The usage of the extension itself is currently discussed on meta anyway. See [[bugzilla:53541]] and [[m:Meta:Babel#Enable_CleanChanges]]. Since that bug is a security bug and reveals private data to the public I'd strongly suggest to either have it fixed immediately or have it removed until it is fixed. It might be worth to check all other wikis that use this extension for the same bug. I guess that one is not only related to meta, so it might be a good idea to remove it from other wikis as well as long as this bug is not fixed. [[m:User:Barras]]
The number of wikis using both CleanChanges and the long deprecated Oversight extension is probably just one: meta.
I was involved in the IRC discussion where this was discovered, and it was using RevDel (modern suppression). I believe the issue had something to do with the number of recent edits displayed, but Teles or Barras can probably explain it better.
It was firstly rev deleted, which should have been enough to hide from RC. As it was still appearing, I request to Barras oversight it, but it was still there.
Probably another case related to this bug, this time the IP is still shown on user's watchlist. https://meta.wikimedia.org/w/index.php?title=Talk%3ACommunity_Logo%2FReclaim_the_Logo&action=revisiondelete&ids%5B5826096%5D=1 IP has been suppressed, but still visible to the user on their watchlist. Please get that fixed asap or remove the extension until it is fixed!
Given the noncritical nature of this extension (i.e. quality of life improvements to RC feeds), I think any kind of credible security concern, such as this one, should lead to the extension being temporarily removed until it's fixed.
Created attachment 13359 [details] Patch for Special:RecentChanges info leak Here's a patch for the RecentChanges display. I'll start working on the watchlist also. Niklas, can you review this patch and comment here if you think it looks appropriate to patch the cluster? If so, we'll patch the cluster, and then add this to gerrit when we do the next security release (scheduled for next week).
Actually, that patch addresses the watchlist piece too, so this should be the full patch now. Niklas or Siebrand, could you verify that patch looks sane? I'm also reviewing the extension as a whole, just to make sure we don't have any obvious, similar issues.
We've temporarily disabled the extension on Meta pending the security review mentioned by Chris above. I made a post about it here: https://meta.wikimedia.org/w/index.php?title=Meta:Babel&diff=prev&oldid=5829114
Thanks.
(In reply to comment #5) > The number of wikis using both CleanChanges and the long deprecated Oversight > extension is probably just one: meta. Meta isn't using the oversight extension for years anymore. @Dan: thanks for disabling it.
Niklas / Siebrand, can one of you review the attached patch to ensure that is a good way to address the issue? Now that we have the extension disabled on the cluster, feel free to drop this in gerrit as well, if that will make review easier.
I had planned to have a look at the patch on Wed, Thu but been working on sprint tasks.
Niklas, were you ever able to review the attachment here? I'd like to include this update in the next security release, and reenable this extension.
Patch tested to work and not produce warnings.
Thanks Niklas!
Thanks everyone. In light of the above, when can this be expected to be live on Meta-Wiki? It doesn't seem to be live as of now.
(In reply to comment #20) > Thanks everyone. In light of the above, when can this be expected to be live > on Meta-Wiki? It doesn't seem to be live as of now. Looks to me like the patch first has to land in master. Given that this is not installed on Wikimedia, I think we can take it out of "Security" already? Chris?
Do we have any external users? If so, it would be best to give them some warning. If not, we can just push it into master, then deploy from git on the cluster.
It's part of https://www.mediawiki.org/wiki/MLEB which has a monthly release that was today. Translatewiki.net uses it, which runs master of core and the extensions that it uses, usually updated daily or multiple times a day. I'll leave the final decision on release procedure to you, but I think this is hanging around in Security for too long, especially since the extension is no longer deployed on Wikimedia wikis.
Let's just get this merged in and deployed ASAP. This has been sitting around too long.
This was assigned CVE-2013-4569
The content of attachment 13315 [details] has been deleted by Thehelpfulone <Thehelpfulonewiki@gmail.com> who provided the following reason: Contained private data (IP) The token used to delete this attachment was generated at 2013-11-15 02:22:58 UTC.
tks, THO
