Headline
CVE-2019-19709: ⚓ T239466 Possible to circumvent title-blacklist (CVE-2019-19709)
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.
**
Possible to circumvent title-blacklist (CVE-2019-19709)
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Task Graph
Mentions
Event Timeline
Comment Actions
Yes, that’s indeed the case. TitleBlacklist thinks the page being created is "w:Google.123.html", which doesn’t match the specific rule in question. Rules beginning with .*, like most on the current blacklist, do not seem able to be bypassed in this manner since the .* will match the spurious interwiki prefix.
Comment Actions
@sbassett: I’m backporting the fix for this to Wikimedia sites now. I’ll leave it to your team to backport the fix to 1.34 and earlier, if you feel that would be desirable.
Comment Actions
@Anomie - sounds good, I can try to pick 554084 to each supported release branch and see how it goes. I might solicit some help if those are more complicated than what gerrit can handle. I’m going to make this task public now since the code is on master, wmf.5 and wmf.8 and has been deployed. This probably warrants a CVE as well.
Comment Actions
Update: Picked to supported release branches and the bot updates are on the other bug (T239428). There was a minor conflict in includes/api/ApiEditPage.php for each of these, so I kept the old conditional instead of the newer ternary operator statement for now. Patches tested fine, they just need a +2, which I’ll do if nobody else does.
This was kind of a strange one in that it was technically a security issue that was incidentally fixed by a well-timed, separate public task/patch. @Reedy is tracking it for the next release in T233495, but it wasn’t “held” due to the aforementioned process oddities. I’ll still request a CVE and update this bug once I have it.
sbassett renamed this task from Possible to circumvent title-blacklist to Possible to circumvent title-blacklist (CVE-2019-19709).Dec 11 2019, 3:06 PM
Comment Actions
At a quick glance, I don’t see any indication that the bug has ever not existed since the redirect parameter was added in MW 1.17. But I haven’t actually tested.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL