Headline
CVE-2023-29140: ⚓ T327613 GrowthExperiments new impact module shows revdeleted edits
An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted.
**
GrowthExperiments new impact module shows revdeleted edits
Closed, ResolvedPublicSecurity
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
The impact module displays the article titles for a select few edits of the user (last, or most viewed). The old Impact module had a check for rev_deleted, but I forgot to add that when writing the equivalent code for the new module, so it might show edits for which the username has been hidden.
Risk Rating
Low
Author Affiliation
WMF Product
Event Timeline
Comment Actions
The patch was unfortunately published in Gerrit (pushed a new version of it to fix that).
CR+2, patch looks good to me and fixes the issue.
Comment Actions
The patch was unfortunately published in Gerrit (pushed a new version of it to fix that).
CR+2, patch looks good to me and fixes the issue.
Ok, so the literal patch file appears to have been accidentally included with an unrelated change set? So this still needs a deploy, soon-ish, with your CR+2.
Comment Actions
Ok, so the literal patch file appears to have been accidentally included with an unrelated change set? So this still needs a deploy, soon-ish, with your CR+2.
Indeed. Deployed (SAL):
16:50 <urbanecm> !log Deploy security patch for T327613 16:50 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
Comment Actions
The patch was unfortunately published in Gerrit (pushed a new version of it to fix that).
Ugh, sorry. I tracked this down to a setting in PhpStorm that I wasn’t aware of (When files are created / Add silently / Apply to files created outside PhpStorm).
Comment Actions
Hey all - thanks for the quick response and deployment. Tracking this issue for the next supplemental security release at T325849, but this can be opened up and backported in gerrit any time now.
Comment Actions
Removed /srv/patches/1.40.0-wmf.21/extensions/GrowthExperiments/01-T327613.patch just now.
Comment Actions
Checked for revdeleted in betalabs - works as expected: if a revision is deleted, the Impact module would not display the stats for pageviews.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL