Page MenuHomePhabricator
Create Task
Maniphest T42995

Generic Session Fixation
Closed, ResolvedPublic
Actions

Description

Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change

Version: 1.20.x
Severity: normal

Details

Reference
bz40995

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:46 AM
bzimport added projects: MW-1.20-release, MediaWiki-User-login-and-signup.
bzimport set Reference to bz40995.
csteipp created this task.Oct 12 2012, 11:50 PM
csteipp added a comment.Oct 12 2012, 11:56 PM

Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login

Attached:

bug40995.patch2 KBDownload

tstarling added a comment.Oct 15 2012, 3:49 AM

Well spotted, Chris. The patch looks good.

Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?

csteipp added a comment.Oct 15 2012, 1:36 PM

Where I think this is likely to get exploited is something like:

  1. Someone finds an xss (or .jar upload, or header splitting) on an obscure wikipedia.org domain, and uses it to set the cookie enwiki_session to a known value for the wikipedia.org domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.
  1. Victim has the cookie set, then later visits en.wikipedia.org and logs in
  1. Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.
csteipp added a comment.Oct 25 2012, 9:59 PM

Using CVE-2012-5391 to track this

csteipp added a comment.Nov 20 2012, 11:44 PM

Deployed on the cluster Nov 15th

duplicatebug added a comment.Dec 1 2012, 9:47 AM

Merged gerrit 36079 links here, bug maybe resolved

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
csteipp added a project: Vuln-Authn/Session.Aug 20 2015, 10:10 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL