Page MenuHomePhabricator
Create Task
Maniphest T248583

PollNY: Classic CSRF in Special:CreatePoll & Special:UpdatePoll + API module
Closed, ResolvedPublicSecurity
Actions

Description

A registered user who is either a poll admin or the author of a particular poll could be tricked into visiting a page which contains an iframe or somesuch pointing to Special:UpdatePoll with the id (poll ID), poll_answer_N (where N is between 1-10 to signify for the possible 10 available answer options) and poll_image_name URL params set and the poll with the given ID would be updated as requested since the special page lacks a CSRF token check and only checks if the request was POSTed.

Likewise, Special:CreatePoll is also vulnerable to similar attack as it also fails to check for a token. All you need to spoof someone into creating a poll is a POST request with the desired values.

Ironically enough Special:AdminPoll is totally safe because currently the administrative functions are not available in "pure" PHP but rather only via the API module + JS (see also T248390: Better NoJS support)...but sadly the API module is currently vulnerable to CSRF as per @Bawolff since it doesn't check the CSRF token for its write actions (delete, updateStatus, vote).

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/PollNYmaster+431 -140[SECURITY] Fix various classic CSRF points in the special pages and API module + improve no-JS usability as well
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Mar 26 2020, 1:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2020, 1:55 PM
ashley claimed this task.Mar 26 2020, 1:55 PM
ashley added a project: PollNY.
Restricted Application added a project: Social-Tools. · View Herald TranscriptMar 26 2020, 1:55 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 26 2020, 7:11 PM
ashley added a comment.May 23 2020, 10:58 PM

PollNY-CSRF-fix-and-noJS-work.patch43 KBDownload

Proposed patch, which also contains parts of T248390: Better NoJS support for PollNY because splitting them up would've been quite a pain.

Bawolff added a comment.May 23 2020, 11:04 PM

Looks like you are adding an edit token to the forms, and then checking it when processing it, so this should fix the issue.

ashley added a comment.May 25 2020, 11:16 PM

Alright, with the aforementioned patch being reviewed and merged, all that's left here is to close this task and make it public. Could someone do that, please?

Bawolff closed this task as Resolved.May 25 2020, 11:35 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.May 26 2020, 3:35 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL