Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.
Version: 1.20.x
Severity: normal
csteipp | |
Oct 12 2012, 11:50 PM |
F9622: bug40995.patch | |
Nov 22 2014, 12:46 AM |
Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.
Version: 1.20.x
Severity: normal
Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login
Attached:
Well spotted, Chris. The patch looks good.
Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?
Where I think this is likely to get exploited is something like: