Generic Session Fixation
Closed, ResolvedPublic


Sessions id's in the default MediaWiki authentication are not refreshed on login or logout. An attacker can use this to impersonate a user.

Version: 1.20.x
Severity: normal

bzimport set Reference to bz40995.
csteipp created this task.Via LegacyOct 12 2012, 11:50 PM
csteipp added a comment.Via ConduitOct 12 2012, 11:56 PM

Created attachment 11187
SpecialUserlogin updated to refresh the user's session_id on each login

Attached: bug40995.patch

tstarling added a comment.Via ConduitOct 15 2012, 3:49 AM

Well spotted, Chris. The patch looks good.

Is there really a need for the bug to be private? This is just a method for turning a non-persistent vulnerability like XSS into a persistent one, right? If so, could it just be committed and deployed in the ordinary release cycle?

csteipp added a comment.Via ConduitOct 15 2012, 1:36 PM

Where I think this is likely to get exploited is something like:

  1. Someone finds an xss (or .jar upload, or header splitting) on an obscure domain, and uses it to set the cookie enwiki_session to a known value for the domain. Or especially in a class / cafe environment, the attacker can just setup the cookie on a shared machine, and then nicely allow the victim to use their computer.
  1. Victim has the cookie set, then later visits and logs in
  1. Since session_id isn't updated, the attacker can set their own session cookie to the known string, and impersonate the victim as soon as the victim logs in.
csteipp added a comment.Via ConduitOct 25 2012, 9:59 PM

Using CVE-2012-5391 to track this

csteipp added a comment.Via ConduitNov 20 2012, 11:44 PM

Deployed on the cluster Nov 15th

duplicatebug added a comment.Via ConduitDec 1 2012, 9:47 AM

Merged gerrit 36079 links here, bug maybe resolved

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment