ApiBlock/ApiUnblock allow action to take place without a token parameter present
Closed, ResolvedPublic

Assigned To
Restricted Task
Krenair, MarkAHershberger, MZMcBride and 4 others


It was noted on IRC by "Krenair" that the block/unblock modules in the API would allow a user to block/unblock another user without passing a token (never mind whether the token was actually valid)

Some poking around and I noticed it was due to the 'gettoken' parameter that both have, whereas the other modules do not have this.

$foo['bar'] = false;
!isset( $foo['bar'] ) evaluates to false, and it meant the code to die for a missing token parameter was never met due to the wrong evaluation

if ( $salt !== false && !$moduleParams['gettoken'] ) {

Version: unspecified
Severity: normal

Attached: gettoken.patch

bzimport added a project: MediaWiki-API.Via ConduitNov 22 2014, 12:11 AM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz34212.
Reedy created this task.Via LegacyFeb 5 2012, 6:27 PM
Reedy added a comment.Via ConduitFeb 5 2012, 6:30 PM

Fixed it on the cluster.

I'm presuming this warrants a security release of some sort?

Reedy added a comment.Via ConduitFeb 5 2012, 6:37 PM

Both REL1_17 and REL1_18 are vulnerable to this too

Catrope added a comment.Via ConduitFeb 8 2012, 2:03 PM

Ouch, this was an embarrassing oversight on my part ~3 years ago.

Patch looks good.

MarkAHershberger added a comment.Via ConduitFeb 11 2012, 6:45 PM

I'm confused: why isn't this patched on trunk?

Reedy added a comment.Via ConduitFeb 11 2012, 8:14 PM

Although its a crsf issue, its not a major issue, as its in quite a small use case.

Hence it warrants a security release, but it's not urgent. issue is patched on wmf currently.

It can wait for the next releases, or a more important fix also

MZMcBride added a comment.Via ConduitMar 22 2012, 7:46 PM

Related revision: r114429.

csteipp added a project: Security.Via WebThu, Mar 26, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.