Page MenuHomePhabricator

Generic Session Fixation
Closed, ResolvedPublic


Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.

Version: 1.20.x
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:46 AM
bzimport set Reference to bz40995.

Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login


Well spotted, Chris. The patch looks good.

Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?

Where I think this is likely to get exploited is something like:

  1. Someone finds an xss (or .jar upload, or header splitting) on an obscure domain, and uses it to set the cookie enwiki_session to a known value for the domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.
  1. Victim has the cookie set, then later visits and logs in
  1. Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.

Using CVE-2012-5391 to track this

Merged gerrit 36079 links here, bug maybe resolved