Last modified: 2012-12-09 05:03:27 UTC
Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
Created attachment 11187 [details] SpecialUserlogin updated to refresh the user's session_id on each login
Well spotted, Chris. The patch looks good. Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?
Where I think this is likely to get exploited is something like: 1) Someone finds an xss (or .jar upload, or header splitting) on an obscure wikipedia.org domain, and uses it to set the cookie enwiki_session to a known value for the wikipedia.org domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer. 2) Victim has the cookie set, then later visits en.wikipedia.org and logs in 3) Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.
Using CVE-2012-5391 to track this
Deployed on the cluster Nov 15th
Merged Gerrit change #36079 links here, bug maybe resolved