Page MenuHomePhabricator
Create Task
Maniphest T13055

Maybe "translation.override" should be locked
Open, LowPublic
Actions

Description

Currently, the translation.override config setting is web-editable.

We generally lock settings so they can't be edited from the web UI if an attacker who compromised an administrator account could use the setting to escalate access.

It's not immediately clear to me exactly how an attacker would use this setting to escalate access, but since you can replace any string in the UI, it doesn't seem like a huge stretch to imagine you can do something with it. Maybe rename the "All Users" policy to "No One", or replace "Test Plan" with "type ur password in this box ➔ ➔".

A lot of this is probably in the general realm of social engineering and not really a threat, but maybe worth thinking about attacks here and locking it if we can come up with anything good.

Related Objects

Event Timeline

epriestley triaged this task as Low priority.Jan 31 2018, 4:20 AM
epriestley created this task.
Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptJan 31 2018, 4:20 AM
epriestley added a comment.Jan 31 2018, 12:33 PM

One attack is that you can override the content of email and then send invite or welcome mail that says whatever you want, whether the victim has a Phabricator account (welcome) or not (invite).

This attack email lets you send email from Phabricator, and send email to Phabricator users without direct knowledge of their email addresses.

But it's not magic: the other 99% of the attack is still just social engineering. A somewhat-similar "attack" is already possible where you send invite email, don't replace the text, and just add your attack content as the welcome message, so users get email like this:

Welcome to Phabricator! alice has created an account for you.

type ur password in this box ➔ ➔ http://evil.com/password-stealer.html

To login, follow this link: ...

We reject these reports on HackerOne as uncompelling, since it's difficult to imagine a victim would actually fall for this.

A similar attack is to just create a wiki page called "Important IRS Notice" with content like:

Important IRS Notice
This is an official notice from the IRS. You will be executed by the government if you do not follow these instructions.

type ur password in this box ➔ ➔ http://evil.com/password-stealer.html

Using translation.override is definitely a little better than these attacks, but it doesn't feel like a significantly different class of attack to me.

epriestley mentioned this in 2019 Week 3 (Mid January).Jan 19 2019, 4:16 AM
Phabricator · Built by Phacility