Last modified: 2012-12-09 05:03:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T42995, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 40995 - Generic Session Fixation
Generic Session Fixation
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.20.x
All All
: Unprioritized normal (vote)
: 1.20.x release
Assigned To: Chris Steipp
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-12 23:50 UTC by Chris Steipp
Modified: 2012-12-09 05:03 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
SpecialUserlogin updated to refresh the user's session_id on each login (2.92 KB, patch)
2012-10-12 23:56 UTC, Chris Steipp 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2012-10-12 23:50:30 UTC 
Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
Comment 1 Chris Steipp 2012-10-12 23:56:34 UTC 
Created attachment 11187 [details]
SpecialUserlogin updated to refresh the user's session_id on each login
Comment 2 Tim Starling 2012-10-15 03:49:07 UTC 
Well spotted, Chris. The patch looks good.

Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?
Comment 3 Chris Steipp 2012-10-15 13:36:21 UTC 
Where I think this is likely to get exploited is something like:

1) Someone finds an xss (or .jar upload, or header splitting) on an obscure wikipedia.org domain, and uses it to set the cookie enwiki_session to a known value for the wikipedia.org domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.

2) Victim has the cookie set, then later visits en.wikipedia.org and logs in

3) Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.
Comment 4 Chris Steipp 2012-10-25 21:59:06 UTC 
Using CVE-2012-5391 to track this
Comment 5 Chris Steipp 2012-11-20 23:44:32 UTC 
Deployed on the cluster Nov 15th
Comment 6 db [inactive,noenotif] 2012-12-01 09:47:42 UTC 
Merged Gerrit change #36079 links here, bug maybe resolved
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links