Generic Session Fixation
Closed, ResolvedPublic


Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.

Version: 1.20.x
Severity: normal

bzimport set Reference to bz40995.
csteipp created this task.Via LegacyOct 12 2012, 11:50 PM
csteipp added a comment.Via ConduitOct 12 2012, 11:56 PM

Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login

Attached: bug40995.patch

tstarling added a comment.Via ConduitOct 15 2012, 3:49 AM

Well spotted, Chris. The patch looks good.

Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?

csteipp added a comment.Via ConduitOct 15 2012, 1:36 PM

Where I think this is likely to get exploited is something like:

  1. Someone finds an xss (or .jar upload, or header splitting) on an obscure domain, and uses it to set the cookie enwiki_session to a known value for the domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.
  1. Victim has the cookie set, then later visits and logs in
  1. Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.
csteipp added a comment.Via ConduitOct 25 2012, 9:59 PM

Using CVE-2012-5391 to track this

csteipp added a comment.Via ConduitNov 20 2012, 11:44 PM

Deployed on the cluster Nov 15th

duplicatebug added a comment.Via ConduitDec 1 2012, 9:47 AM

Merged gerrit 36079 links here, bug maybe resolved

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.