Page MenuHomePhabricator
Create Task
Maniphest T333138

API login with empty CSRF token
Closed, InvalidPublicSecurity
Actions

Description

Hi!

Im developing a MediaWiki extension and use the MediaWiki API for bulk import of some files.

I usually log in with a Bot password into the API, but when I used wrong credentials, I still managed to edit pages and such. I was very confused and checked the CSRF token.

With CSRFTOKEN="+\\" I managed to log in and use API functions. I'm not sure if this is expected behavior.

I also checked out the real Wikipedia and was successful in editing a page. To reproduce, you can use this python script:

import requests
URL = 'https://en.wikipedia.org/w/api.php'
S = requests.Session()

text = open('text.txt','r').read()
PARAMS = {'action':'edit','title':'Hocuspocus_(1930_film)','token':'+\\','format':'json','text':text}
R = S.post(url=URL,data=PARAMS)
print(R.json())

You need to put some text in the text.txt file and if it passes Wikipedia's abuse filters you will successfully edit the page.

Im not sure if this is actually a security flaw or some kind of expected behavior. I'm sorry if I am wasting your time.

Kind Regards,
Oliver Tautz

Details

Risk Rating
Informational
Author Affiliation
Wikimedia Communities

Event Timeline

Otautz created this task.Mar 27 2023, 10:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2023, 10:39 AM
Aklapper changed Author Affiliation from N/A to Wikimedia Communities.Mar 27 2023, 11:00 AM
Aklapper added a project: MediaWiki-Core-AuthManager.
taavi closed this task as Invalid.Mar 27 2023, 12:32 PM
taavi subscribed.

I usually log in with a Bot password into the API, but when I used wrong credentials, I still managed to edit pages and such.

You edited pages while logged out. You can use assert to prevent that. "+\\" is the CSRF token used for logged out requests. This is all expected behavior.

sbassett triaged this task as Low priority.Mar 27 2023, 3:30 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
sbassett removed a project: Security.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Informational.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL