https://bugzilla.wikimedia.org/show_bug.cgi?id=25793
Summary: Security problem: API allows to hijack sessionid
Product: MediaWiki
Version: wikimedia-deployment
Platform: All
OS/Version: All
Status: NEW
Keywords: patch
Severity: major
Priority: Normal
Component: API
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected]
Created attachment 7791
--> https://bugzilla.wikimedia.org/attachment.cgi?id=7791
patch fixes mentioned issue
If you make a post to api.php with something like
"action=login&lgname=TestUser&lgpassword=gotcha" the api responds with a
NeedToken error, inside the error message the current session is included... so
you can trick the api into telling you what the sessionid is to bypass httponly
and get access to the user's login session.
On wiki farm (like Wikia) an evil admin could alter common.js to run this POST
request via AJAX for every logged in user that enters his wiki - having
sessions he would be able to log in as any visitor of his wiki by creating
proper cookie.
Simple patch attached - for case LoginForm::NEED_TOKEN do not return sessionid.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
