Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45363: ⚓ T333050 RequestTimeoutException when querying pages redirected to other variants with redirects and converttitles set

An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set.

CVE
Open in Source
#dos#js#php#auth

**

RequestTimeoutException when querying pages redirected to other variants with redirects and converttitles set

Closed, ResolvedPublicSecurity

**

  • Edit Task

  • Edit Related Tasks…

  • Edit Related Objects…

  • Mute Notifications

  • Protect as security issue

  • Award Token

  • Flag For Later

Steps to replicate the issue (include links if applicable):

  • https://zh.wikipedia.org/wiki/User:Xiplus/註銷 (zh-hant) redirects to [[User:Xiplus/注销]] (zh-hans)

What happens?:
Query the page with redirects=1&converttitles=1
https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/注销&redirects=1&converttitles=1&formatversion=2 gives

{ "error": { "code": "internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException", "info": "[29504362-a016-4bc3-a4d6-5e095abc99ba] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException", "errorclass": “Wikimedia\\RequestTimeout\\RequestTimeoutException” }, "servedby": “mw2321” }

https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&redirects=1&converttitles=1&formatversion=2 gives

{ "error": { "code": "internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException", "info": "[6ba7b057-19b8-4d6d-87ce-d1d911c95dd7] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException", "errorclass": “Wikimedia\\RequestTimeout\\RequestTimeoutException” }, "servedby": “mw2296” }

Note: It works with only single option used.
https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&converttitles=1&formatversion=2

{ "batchcomplete": true, "query": { "pages": [ { "pageid": 8322422, "ns": 2, "title": “User:Xiplus/註銷” } ] } }

https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&redirects=1&formatversion=2

{ "batchcomplete": true, "query": { "redirects": [ { "from": "User:Xiplus/註銷", "to": “User:Xiplus/注销” } ], "pages": [ { "ns": 2, "title": "User:Xiplus/注销", "missing": true } ] } }

Software version (skip for WMF-hosted wikis like Wikipedia):
1.41.0-wmf.1 (4de0415)

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

  • Task Graph
  • Mentions

Event Timeline

taavi set Security to Software security bug.Mar 25 2023, 3:03 PM

taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".

taavi changed the subtype of this task from “Bug Report” to "Security Issue".

Comment Actions

This is a DOS vector.

Comment Actions

(@Mstyles asked for someone to review the patch and I volunteered)

I recreated the scenario on a test wiki with the patch applied: https://patchdemo.wmflabs.org/wikis/f18e1e5ec5/wiki/User:Xiplus/註銷
…and a test wiki without the patch, for comparison: https://patchdemo.wmflabs.org/wikis/7f7146e7ca/wiki/User:Xiplus/註銷

The API doesn’t time out, and the responses look correct to me, in both of the cases with '&redirects=1&converttitles=1’. It’s a bit weird that the response is exactly the same in both cases, regardless of the order in which the redirect and the conversion happens, but I don’t think there’s any way to represent that in the output format we have.

{ "batchcomplete": true, "query": { "converted": [ { "from": "User:Xiplus/注销", "to": “User:Xiplus/註銷” } ], "redirects": [ { "from": "User:Xiplus/註銷", "to": “User:Xiplus/注销” } ] } }

The API responses in cases with just one or none of the parameters are the same as before:

I’m not really an expert in this area of the code, but I’m not sure if we have one, and this makes me sufficiently confident that this is the right fix.

Thank you for the bug report and the patch, @Xiplus!

Comment Actions

The security team would like to make this ticket public, is there any information on this ticket that should not be public? We don’t see anything, but want to check.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.May 2 2023, 3:08 PM

sbassett changed Risk Rating from N/A to Medium.

Reedy added a parent task: Restricted Task.Wed, Sep 27, 1:19 PM

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE