Page MenuHomePhabricator

Sudozero (Andrew Engelbrecht)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Nov 24 2014, 4:12 AM (427 w, 5 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Sudozero [ Global Accounts ]

Recent Activity

Dec 22 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

@sbasset Thank you for your guidance and for your help! : )

Dec 22 2020, 2:10 AM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 20 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

That commit was merged upstream.

Dec 20 2020, 10:18 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team
Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

I added another pull request to cover more edge cases: https://github.com/CWRUChielLab/CASAuth/pull/11

Dec 20 2020, 10:10 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team
Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

For the sake of reference, the user name normalization appears to occur in the splitTitleString method, in includes/title/MediaWikiTitleCodec.php. There are additional special Unicode characters that are stripped out there.

Dec 20 2020, 7:29 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 19 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

Should I make a CVE for this security issue?

Dec 19 2020, 3:29 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 17 2020

sbassett awarded T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623) a Like token.
Dec 17 2020, 9:16 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team
Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

@sbassett The patch was merged!

Dec 17 2020, 6:12 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 15 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

I created a pull request here: https://github.com/CWRUChielLab/CASAuth/pull/10

Dec 15 2020, 1:07 AM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 14 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

@sbassett Is it okay for me to post the issue or merge request on GitHub a few days before the planned security announcement email goes out? I can shrink that gap if needed. Thanks.

Dec 14 2020, 7:43 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 13 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

Okay, I worked on improving my patch, and so I'll put it here for now.

Dec 13 2020, 8:45 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 6 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

Is there a rough timeline of when the security announcement will go out? I'd like to get the patch ready before then. Thanks : )

Dec 6 2020, 9:10 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Dec 2 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

I emailed site owners about the issue on 2020-11-23, by using mostly technical support contact addresses on their parent sites, but haven't heard back from any of them so far.

Dec 2 2020, 12:51 AM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Sep 22 2020

Sudozero added a comment to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).

Thanks for the tip. : ) I think that the regex for /__/ covers it, since three or more underscores in a row should still be matched by two of them. The same goes for the spaces. I don't know if this is the best way to handle this, but it seems like an okay stop-gap measure.

Sep 22 2020, 5:46 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team

Sep 21 2020

Sudozero created T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).
Sep 21 2020, 8:58 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team