Page MenuHomePhabricator

Special:Userlogin form is not token protected
Closed, ResolvedPublic

Description

The Special:Userlogin forms for login and account creating is not token
protected with a session, which caused bug 23076. However, r64677 only
fixed it for login (which is the most critical due to $wgAllowUserJs).

The hole remains for "E-mail me my password", "Create account" and
"Create by e-mail", with the following abuse cases:

*For wikis allowing public account creation, an attacker could create
many accounts via proxying users, avoiding ip blocks, the anon gets
logged in (wikis using ConfirmEdit to request a captcha for createaccount
are protected from this).

*If the victims were logged users, the attacker could create the
accounts by email and flood innocent parties using the wiki as gateway.

*If the victim was a sysop, the attacker could not only bypass the
captcha protection, but also the username blacklist.

*It also provides a way to bypass the blocks and ping limit for sending
many password resets flooding its targets.

*On private wikis an account creation by targeting a sysop may expose
confidential information.


Version: 1.16.x
Severity: critical

Details

Reference
bz23371

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:04 PM
bzimport set Reference to bz23371.

Fixed on r65760