https://bugzilla.wikimedia.org/show_bug.cgi?id=60601
Web browser: --- Bug ID: 60601 Summary: Authentication Bypass / Data Enumeration Product: MediaWiki Version: unspecified Hardware: Other OS: All Status: UNCONFIRMED Severity: major Priority: Unprioritized Component: General/Unknown Assignee: wikibugs-l@lists.wikimedia.org Reporter: blkn3t2s...@gmail.com Classification: Unclassified Mobile Platform: --- Using Mediawiki’s own wiki (in which they provide various info on parameters that can be passed to ‘index.php’) I was able to discover a potential flaw on the version 1.3.11. By using a combination of parameters (‘diff’ & ‘oldid’), which should only allow access to data when authenticated, you can enumerate data out of the database – I guess this would be considered an authentication bypass of sorts. So far it gives up user and certain database information, as well as the contents of “protected” documents that have been uploaded. index.php?title=Main_Page&diff=1811&oldid=1 By numerically fuzzing the 'diff' parameter, the application returns various information, including protected documents, database type, group users. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l