FINDING ID: iSEC-WMF1214-6
DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks
CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a
web application on behalf of a user without their knowledge. When the server receives the requests,
it has no way of distinguishing the forged request from a request sent purposefully by the user. Any
user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple
look up requests. This will fill the check user log with untrustworthy data.
EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards
MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site
the attacker controls, in turn tricking their browser into sending the request that submits unnecessary
check user requests. Although the attacker cannot view the responses, a large number of unnecessary
requests can damage the reputation of the valid user.
SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request.
Affected Versions: Since at least 67bed6768192fe537a9605f414ff039e61c978eb (1.6?)