Headline
CVE-2023-22945: ⚓ T321733 action=growthmanagementorlist makes it possible for blocked users to enroll as mentors
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
**
action=growthmanagementorlist makes it possible for blocked users to enroll as mentors
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Earlier today, the Growth team deployed structured mentor list to all Wikimedia wikis. This switched mentor list from a wikitext page to MediaWiki:GrowthMentors.json, edited by mentors (non-admins) via special pages and the action=growthmanagementorlist API.
While we did test how blocks interact with the new feature, we only tested the user interface, and not the API. Today, I noticed that while the special pages do ensure the user is not blocked, the API (action=growthmanagementorlist) does not. This means blocked users are able to enroll as mentors via action=growthmanagementorlist, or to edit any of their mentorship-related properties.
Successfully reproduced at test.wikipedia.org. I’ll suppress the edits and block entries for security.
Author Affiliation
WMF Product
- Task Graph
Event Timeline
Comment Actions
This is a fairly serious vulnerability: blocked users (including long-term abusers) with at least 500 edits can become mentors and harm the mentorship system.
Urbanecm_WMF lowered the priority of this task from Unbreak Now! to High.Oct 26 2022, 8:48 PM
Comment Actions
Deployed to production, lowering to High since this does not impact production anymore.
22:42 <urbanecm> !log Deploying security patch for T321733 22:42 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
Comment Actions
Sorry for missing this in code review.
As a follow-up, I think adding regression test (PHPUnit integration test) would be good.
Comment Actions
Sorry for missing this in code review.
No worries!
As a follow-up, I think adding regression test (PHPUnit integration test) would be good.
Yes, for sure (as well as review other APIs for potential similar issues). I didn’t want to clutter the security patch with a test, that can be done in Gerrit, once this task’s public.
Comment Actions
FTR, the affected feature is not actually a part of any release (1.39 is yet to be released) yet.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL