- Original Message --------
Subject: CSRF in image upload
Date: Sun, 18 Mar 2012 15:05:50 +0100
From: Jan Schejbal
To: security@wikimedia.org
Dear MediaWiki development team,
I have discovered a Cross-site request forgery security issue in
MediaWiki. The edit token is not checked for file uploads. This was done
intentionally under the assumption that it is not possible to forge a
file upload using JavaScript. (See includes/specials/SpecialUpload.php,
a comment saying "Skip token check for file uploads as that can't be
faked via JS")
That assumption is wrong. With HTML5 and modern browsers, this is
possible with a few lines of code using FormData and BlobBuilder, and I
think that it probably has been possible for a while with
XMLHttpRequests and custom encoding of the POST body.
Please keep me updated about the steps you take to fix this issue. If
you provide acknowledgements for security bug reports e.g. in the
release notes, please attribute this to "Jan Schejbal / Hatforce.com".
Kind regards,
Jan Schejbal
Version: unspecified
Severity: normal