Last modified: 2013-04-22 16:15:51 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T42962, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 40962 - CentralAuth Session Fixation
CentralAuth Session Fixation
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: MW 1.21 version
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-11 16:04 UTC by Chris Steipp
Modified: 2013-04-22 16:15 UTC (History)
11 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Generate new Session ID for CentralAuth on login (2.34 KB, patch)
2012-11-13 23:32 UTC, Chris Steipp 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2012-10-11 16:04:03 UTC 
CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value.

[0] - https://www.owasp.org/index.php/Session_fixation

If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.
Comment 1 Chris Steipp 2012-10-19 00:47:59 UTC 
Attachment on bug 40747 (http://bug-attachment.wikimedia.org/attachment.cgi?id=11200) fixes this
Comment 2 Chris Steipp 2012-10-25 22:02:11 UTC 
Using CVE-2012-5395 to track this
Comment 3 Chris Steipp 2012-11-13 23:32:16 UTC 
Created attachment 11353 [details]
Generate new Session ID for CentralAuth on login
Comment 4 Tim Starling 2012-11-14 22:02:27 UTC 
The patch looks good.
Comment 5 db [inactive,noenotif] 2012-12-01 09:46:28 UTC 
Merged Gerrit change #36094 links here, bug maybe resolved
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links