Hello pmwiki community, this is an announcement on a new release of the UserAuth2 recipe, which mainly fixes two security related bugs. (and one handling bug)
Only pmwikis which had enabled and actually used cookie authentication were vulnerable under certain circumstances (valid for both of these bugs). Details can be found below. The bugs would have given an attacker the possibility to login and appear as another user (including as wiki admin) on the wiki (bug 1) or to use an expired cookie authentication of another user (bug 2). Intrusion on server level would not have resulted. Upgrading the UserAuth2 recipe to version 2.1-beta4 will resolve the issues. Upgrading is definitely recommended if cookie authentication is enabled and echo mt_rand(1, 0xfffffffff) . "\n"; // more than 8 "f"s results in a single value upon repeated calling on your system. ThomasP http://www.pmwiki.org/wiki/Cookbook/UserAuth2 ---- Bug details: 1. (discovered by Olle [1]) The random numbers generated for creating the cookie key in UserSessionVars.php were observed to be non-random on some (but not all) systems due to usage of a too large number literal which is interpreted during the float/int conversion both as MAX_INT on some or a negative number on other systems. The versatility is due to the php spec on integer conversion being open on this [2], which resulted in the bug not being discovered during testing. The problem was solved by decreasing the max parameter in the mt_rand call. 2. The cookie key stored server-sidely in the user profile was not deleted upon logout. A wiki user using cookie authentication on a buggy or malicious browser (which would not delete the cookie on its side upon receiving the respective server command) might have seen his cookie authentication stolen and used after expiry. 3. (also by Olle) The user response on the confirmation dialog for deleting a user in the admin tool was ignored such that deletion would always occur, also if the user selected "No". ---- Files updated: cookbook/userauth2.php cookbook/userauth2/UserSessionVars.php cookbook/userauth2/userauth2-admintool.php [1] http://pmichaud.com/pipermail/pmwiki-users/2008-November/052775.html [2] http://de2.php.net/manual/de/language.types.integer.php _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
