[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 --- Comment #6 from Roan Kattouw 2010-11-05 12:21:44 UTC --- (In reply to comment #5) > This cookie is httponly so using document.cookie won't allow you to get it. You're right about that, my mistake. > The > API call makes it possible. Yes, but it doesn't matter much, see below. > CSRF allows evil admin to run unprotected actions - such actions should be > fixed (by require token for example). > Yes, and we do require tokens. Tokens prevent CROSS-site scripting, but they can't protect against SAME-site scripting. Once the attacker has JS running on the same site, they can edit as you, create/move/delete pages at you, etc., etc., and we can't protect against that. So in practice, they've already taken over your account, and they can take it over for real by changing your e-mail address, using the "I forgot my password" feature to reset the password, then logging you out. > The bug mentioned here allows you not only to run unprotected action but take > over the whole account and fixing it sounds reasonably. Stealing someone's cookies does allow you to take over their account, but once you're running JS from the same domain you can already do the same thing without needing the cookie data. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 --- Comment #5 from Marooned 2010-11-05 12:08:27 UTC --- This cookie is httponly so using document.cookie won't allow you to get it. The API call makes it possible. CSRF allows evil admin to run unprotected actions - such actions should be fixed (by require token for example). The bug mentioned here allows you not only to run unprotected action but take over the whole account and fixing it sounds reasonably. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 Roan Kattouw changed: What|Removed |Added CC||tstarl...@wikimedia.org --- Comment #4 from Roan Kattouw 2010-11-05 11:58:36 UTC --- CC Tim Starling, want him to look at this in case I'm missing something. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 Roan Kattouw changed: What|Removed |Added Resolution|FIXED |INVALID --- Comment #3 from Roan Kattouw 2010-11-05 11:57:33 UTC --- Hmm, on second thought, this isn't a security issue at all. Reverted r76077 in r76080. The only way an attacker can read the echoed session ID is if they can request it using JS running on the same domain (evil admin scenario, like you said). Cross-domain, it won't work. And if the attacker can run JS on the same domain, they can do much worse things already (e.g. bypass the CSRF safeguards and edit things as you), most notably access our cookies directly without needing the API to echo them back at them. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 --- Comment #2 from Roan Kattouw 2010-11-05 11:44:50 UTC --- And thanks for reporting this! -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 25793] Security problem: API allows to hijack sessionid
https://bugzilla.wikimedia.org/show_bug.cgi?id=25793 Roan Kattouw changed: What|Removed |Added Status|NEW |RESOLVED CC||roan.katt...@gmail.com Resolution||FIXED --- Comment #1 from Roan Kattouw 2010-11-05 11:44:01 UTC --- All output of session IDs removed in r76077. I contemplated other ways of doing this, but none of them were secure. The session ID was output to help clients that couldn't read cookies properly, but I'm afraid we're having to drop support for those now. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l