ApiBlock/ApiUnblock allow action to take place without a token parameter present
Closed, ResolvedPublic



It was noted on IRC by "Krenair" that the block/unblock modules in the API would allow a user to block/unblock another user without passing a token (never mind whether the token was actually valid)

Some poking around and I noticed it was due to the 'gettoken' parameter that both have, whereas the other modules do not have this.

$foo['bar'] = false;
!isset( $foo['bar'] ) evaluates to false, and it meant the code to die for a missing token parameter was never met due to the wrong evaluation

if ( $salt !== false && !$moduleParams['gettoken'] ) {

Version: unspecified
Severity: normal

Attached: gettoken.patch

bzimport added a project: MediaWiki-API.Via ConduitNov 22 2014, 12:11 AM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz34212.
Reedy created this task.Via LegacyFeb 5 2012, 6:27 PM
Reedy added a comment.Via ConduitFeb 5 2012, 6:30 PM

Fixed it on the cluster.

I'm presuming this warrants a security release of some sort?

Reedy added a comment.Via ConduitFeb 5 2012, 6:37 PM

Both REL1_17 and REL1_18 are vulnerable to this too

Catrope added a comment.Via ConduitFeb 8 2012, 2:03 PM

Ouch, this was an embarrassing oversight on my part ~3 years ago.

Patch looks good.

MarkAHershberger added a comment.Via ConduitFeb 11 2012, 6:45 PM

I'm confused: why isn't this patched on trunk?

Reedy added a comment.Via ConduitFeb 11 2012, 8:14 PM

Although its a crsf issue, its not a major issue, as its in quite a small use case.

Hence it warrants a security release, but it's not urgent. issue is patched on wmf currently.

It can wait for the next releases, or a more important fix also

MZMcBride added a comment.Via ConduitMar 22 2012, 7:46 PM

Related revision: r114429.

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment