CentralAuth Session Fixation
Closed, ResolvedPublic


CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value.

[0] - https://www.owasp.org/index.php/Session_fixation

If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.

Version: unspecified
Severity: normal

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz40962.
csteipp created this task.Via LegacyOct 11 2012, 4:04 PM
csteipp added a comment.Via ConduitOct 19 2012, 12:47 AM
csteipp added a comment.Via ConduitOct 25 2012, 10:02 PM

Using CVE-2012-5395 to track this

csteipp added a comment.Via ConduitNov 13 2012, 11:32 PM

Created attachment 11353
Generate new Session ID for CentralAuth on login

Attached: CA_40962.patch

tstarling added a comment.Via ConduitNov 14 2012, 10:02 PM

The patch looks good.

duplicatebug added a comment.Via ConduitDec 1 2012, 9:46 AM

Merged gerrit 36094 links here, bug maybe resolved

Aklapper edited projects, added MW-1.21-release; removed MW-extension-1.21-version.Via WebDec 19 2014, 8:17 PM
csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM
MarcoAurelio moved this task to Done on the MediaWiki-extensions-CentralAuth workboard.Via WebMay 5 2015, 6:01 PM
csteipp added a project: Vuln-Authn/Session.Via WebAug 20 2015, 9:56 PM

Add Comment