Page MenuHomePhabricator
Create Task
Maniphest T345040

CVE-2023-45374: SportsTeams: no anti-CSRF check in Special:SportsTeamsManager and Special:UpdateFavoriteTeams
Closed, ResolvedPublicSecurity
Actions

Description

SportsTeams, the obscure sports-specific Social-Tools extension from ArmchairGM meant to be used with UserStatus to provide the sports fan networking functionality, does not check for the anti-CSRF ("edit") token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams.

Similar checks were added to Special:AddFan and Special:RemoveFan in 46a0054e0d0c5f15ecf10e6a428e73daf6608f4f (September 2020) and to the uploading special pages even earlier, in bccf8758c699f2ecb7b0f43a5f5606d2ec59beb2 (April 2020).

Details

Author Affiliation
Other (Please specify in description)
SubjectRepoBranchLines +/-
[SECURITY] Add anti-CSRF token checks for Special:SportsTeamsManager & Special:UpdateFavoriteTeamsmediawiki/extensions/SportsTeamsmaster+22 -3
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Aug 27 2023, 10:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 27 2023, 10:45 AM
ashley changed the task status from Open to In Progress.Aug 27 2023, 10:45 AM
ashley claimed this task.
ashley added a project: Social-Tools.
Bawolff subscribed.Aug 27 2023, 12:41 PM

This was fixed by Ashley in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/952552

Bawolff closed this task as Resolved.Aug 27 2023, 12:42 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Aug 28 2023, 2:47 PM
sbassett subscribed.

Thanks, now tracking at T340874.

ashley added a project: SportsTeams.Sep 5 2023, 11:47 AM
Mstyles renamed this task from SportsTeams: no anti-CSRF check in Special:SportsTeamsManager and Special:UpdateFavoriteTeams to CVE-2023-45374: SportsTeams: no anti-CSRF check in Special:SportsTeamsManager and Special:UpdateFavoriteTeams.Oct 10 2023, 4:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits