Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.
Version: 1.20.x
Severity: normal
Description
Description
Details
Details
- Reference
- bz40995
Event Timeline
Comment Actions
Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login
Attached:
Comment Actions
Well spotted, Chris. The patch looks good.
Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?
Comment Actions
Where I think this is likely to get exploited is something like:
- Someone finds an xss (or .jar upload, or header splitting) on an obscure wikipedia.org domain, and uses it to set the cookie enwiki_session to a known value for the wikipedia.org domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.
- Victim has the cookie set, then later visits en.wikipedia.org and logs in
- Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.