https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
Summary: Special:Userlogin form is not token protected
Product: MediaWiki
Version: 1.16-svn
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: Normal
Component: General/Unknown
AssignedTo: [email protected]
ReportedBy: [email protected]
The Special:Userlogin forms for login and account creating is not token
protected with a session, which caused bug 23076. However, r64677 only
fixed it for login (which is the most critical due to $wgAllowUserJs).
The hole remains for "E-mail me my password", "Create account" and
"Create by e-mail", with the following abuse cases:
*For wikis allowing public account creation, an attacker could create
many accounts via proxying users, avoiding ip blocks, the anon gets
logged in (wikis using ConfirmEdit to request a captcha for createaccount
are protected from this).
*If the victims were logged users, the attacker could create the
accounts by email and flood innocent parties using the wiki as gateway.
*If the victim was a sysop, the attacker could not only bypass the
captcha protection, but also the username blacklist.
*It also provides a way to bypass the blocks and ping limit for sending
many password resets flooding its targets.
*On private wikis an account creation by targeting a sysop may expose
confidential information.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
