Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-19709: ⚓ T239466 Possible to circumvent title-blacklist (CVE-2019-19709)

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

CVE
#google#php

**

Possible to circumvent title-blacklist (CVE-2019-19709)

**

  • Edit Task

  • Edit Related Tasks…

  • Edit Related Objects…

  • Mute Notifications

  • Protect as security issue

  • Award Token

  • Flag For Later

  • Task Graph

  • Mentions

Event Timeline

Comment Actions

Yes, that’s indeed the case. TitleBlacklist thinks the page being created is "w:Google.123.html", which doesn’t match the specific rule in question. Rules beginning with .*, like most on the current blacklist, do not seem able to be bypassed in this manner since the .* will match the spurious interwiki prefix.

Comment Actions

@sbassett: I’m backporting the fix for this to Wikimedia sites now. I’ll leave it to your team to backport the fix to 1.34 and earlier, if you feel that would be desirable.

Comment Actions

@Anomie - sounds good, I can try to pick 554084 to each supported release branch and see how it goes. I might solicit some help if those are more complicated than what gerrit can handle. I’m going to make this task public now since the code is on master, wmf.5 and wmf.8 and has been deployed. This probably warrants a CVE as well.

Comment Actions

Update: Picked to supported release branches and the bot updates are on the other bug (T239428). There was a minor conflict in includes/api/ApiEditPage.php for each of these, so I kept the old conditional instead of the newer ternary operator statement for now. Patches tested fine, they just need a +2, which I’ll do if nobody else does.

This was kind of a strange one in that it was technically a security issue that was incidentally fixed by a well-timed, separate public task/patch. @Reedy is tracking it for the next release in T233495, but it wasn’t “held” due to the aforementioned process oddities. I’ll still request a CVE and update this bug once I have it.

sbassett renamed this task from Possible to circumvent title-blacklist to Possible to circumvent title-blacklist (CVE-2019-19709).Dec 11 2019, 3:06 PM

Comment Actions

At a quick glance, I don’t see any indication that the bug has ever not existed since the redirect parameter was added in MW 1.17. But I haven’t actually tested.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907