Page MenuHomePhabricator

CentralAuth MergeAccount doesn't recheck ownership of homewiki on wpMergeAction=initial
Closed, ResolvedPublic

Description

This allows non-home owners to take over the homewiki account without knowing the password.


Version: master
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=71749

Details

Reference
bz70468

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:53 AM
bzimport set Reference to bz70468.
csteipp created this task.Sep 5 2014, 10:02 PM

I was wrong... Just lets you attach your account to the homewiki global account, but the global account still gets the homewiki's password. So the attacker still doesn't have access to the global account.

Combined with bug 70469, this lets the owner of the homewiki take over an account they don't own, but that's less serious.

Created attachment 16495
Check home wiki password before merge

Just like we do in the dry run, check the home wiki's password before doing the actual merge.

Attached:

Created attachment 16497
Check home wiki password before merge - 1.24 wmf22

Rebased on top of gerrit 158578.

After this is public, I'll make all those bool flags an options array.

Attached:

+2, patch looks good. Only thing is we reverted the commit out of 1.24wmf22, so attachment 16495 should go with 1.24wmf22, and attachment 16497 should go with 1.25wmf1 and master.

From SAL: 19:15 AaronS: Deployed security patches to CentralAuth

aaron added a comment.Sep 26 2014, 7:54 PM

I put up https://gerrit.wikimedia.org/r/#/c/163225/ as a draft. Apparently there is some wiki farm that uses CA too...so they will have to be notified first before that is merged.

Created attachment 16725
Check home wiki password before merge - 1.24wmf3 (after file reorg)

Attached: