Change Details

FINDING ID: iSEC-WMF1214-6 DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a web application on behalf of a user without their knowledge. When the server receives the requests, it has no way of distinguishing the forged request from a request sent purposefully by the user. Any user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple look up requests. This will fill the check user log with untrustworthy data. EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site the attacker controls, in turn tricking their browser into sending the request that submits unnecessary check user requests. Although the attacker cannot view the responses, a large number of unnecessary requests can damage the reputation of the valid user. SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request.

FINDING ID: iSEC-WMF1214-6 DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a web application on behalf of a user without their knowledge. When the server receives the requests, it has no way of distinguishing the forged request from a request sent purposefully by the user. Any user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple look up requests. This will fill the check user log with untrustworthy data. EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site the attacker controls, in turn tricking their browser into sending the request that submits unnecessary check user requests. Although the attacker cannot view the responses, a large number of unnecessary requests can damage the reputation of the valid user. SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request. -------------------------- **Patch**: {F31093} - 1.24: (needed) - 1.23: (needed) - 1.19: (needed) **Affected Versions**: Since at least 67bed6768192fe537a9605f414ff039e61c978eb (1.6?) **Type**: csrf **CVE**: (needed)

FINDING ID: iSEC-WMF1214-6 DESCRIPTION: The process to check a corresponding username to IP address and vice versa lacks CSRF protection. CSRF attacks are perpetrated by issuing a request to a protected resource within a web application on behalf of a user without their knowledge. When the server receives the requests, it has no way of distinguishing the forged request from a request sent purposefully by the user. Any user with basic rights on MediaWiki can trick a user with check user rights into submitting multiple look up requests. This will fill the check user log with untrustworthy data. EXPLOIT SCENARIO: An attacker with basic user rights on MediaWiki makes targeted attacks towards MediaWiki users with check user rights. A user with check user rights is tricked into visiting a site the attacker controls, in turn tricking their browser into sending the request that submits unnecessary check user requests. Although the attacker cannot view the responses, a large number of unnecessary requests can damage the reputation of the valid user. SHORT TERM SOLUTION: Require a valid wpEditToken to be submitted with each check user request. -------------------------- **Patch**: {F31093} - 1.24: (needed) - 1.23: (needed) - 1.19: (needed) **Affected Versions**: Since at least 67bed6768192fe537a9605f414ff039e61c978eb (1.6?) **Type**: csrf **CVE**: (needed)