Last modified: 2013-09-05 17:02:07 UTC
I was testing change 76829, and I noticed that the JS check was firing on Special:UserLogout and logging me right back in. I investigated to see why, and discovered two bugs, that individually seem like nothing to worry about but combined allow someone to log in on any SUL wiki except loginwiki as any attached SUL user without having to supply a password. #1 is that CentralAuthHooks::onUserLoadFromSession leaves a valid CentralAuthUser object for the user named in the centralauth_User cookie cached on the User object, even when the centralauth_Token doesn't match. #2 is that Special:CentralAutoLogin assumes that CentralAuthUser::getInstance doesn't return a valid CentralAuthUser when the User isn't logged in. Which would normally be the case, except for bug #1. Fixing either bug prevents the security hole. I'll attach a patch momentarily to fix both of them.
Created attachment 13033 [details] Patch to fix both bugs
Created attachment 13038 [details] Patch to fix both bugs Add another small fix requested by Chris.
Fix deployed (along with an unrelated change) 22:14 logmsgbot: csteipp synchronized php-1.22wmf12/extensions/CentralAuth 'eventlogging patch' We'll release publicly as part of the next security release.
This was assigned CVE-2013-4304