[Bug 38117] New: Security: Bad IP range recognition

Mon, 02 Jul 2012 06:27:11 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=38117

       Web browser: ---
             Bug #: 38117
           Summary: Security: Bad IP range recognition
           Product: MediaWiki extensions
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: Unprioritized
         Component: [other]
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified
   Mobile Platform: ---


This is a security-related bug in the Extension:NetworkAuth.

The problem is that the extension does not to match IP ranges correctly and
thus authenticates IP addresses that do not belong to the specified IP range.

Both the IP address that the extension gets via wfGetIP() and the IP range that
is specified in LocalSettings.php are transformed to hex numbers via
IP::toHex(). Afterwards the obtained IP adress is compared to the range to
determine whether the address is in the range.

Here is the somewhat simplified code. parsedRange is an array containing the
lower and upper limits of the range.

$ip = wfGetIP();
$hex = IP::toHex( $ip );
if ( $hex >= IP::toHex( $parsedRange[0] ) 
  && $hex <= IP::toHex( $parsedRange[1] )) 
{
  # authenticate user
}

Unfortunately, the function IP::toHex() does *not* return a hex number, but a
string containing the hex digits (e.g. IP::toHex("46.115.22.119") ->
"2E771673") *without* the leading "0x". This works fine in most cases, as the
string is implicitly typecast to a number and compared afterwards.

However, in the case that the string of the IP range contains only decimal
digits (e.g. IP::toHex("129.69.120.0") -> "81457800"), this fails
spectacularly, as in the one case, it interprets the string as a hex number,
and in the other case as a dec number. In the above case, this means that 
  IP::toHex("46.115.22.119") > IP::toHex("129.69.120.0") == true

This bug report is made problematic by the fact that at the moment I cannot
even find the current code of the extension, as all "Download" links on

  http://www.mediawiki.org/wiki/Extension:NetworkAuth

seem to be broken. I am willing to provide a patch when anyone can tell me
where to find the repo containing the current code of the extension.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to