Page MenuHomePhabricator
Create Task
Maniphest T25371

Special:Userlogin form is not token protected
Closed, ResolvedPublic
Actions

Description

The Special:Userlogin forms for login and account creating is not token
protected with a session, which caused bug 23076. However, r64677 only
fixed it for login (which is the most critical due to $wgAllowUserJs).

The hole remains for "E-mail me my password", "Create account" and
"Create by e-mail", with the following abuse cases:

*For wikis allowing public account creation, an attacker could create
many accounts via proxying users, avoiding ip blocks, the anon gets
logged in (wikis using ConfirmEdit to request a captcha for createaccount
are protected from this).

*If the victims were logged users, the attacker could create the
accounts by email and flood innocent parties using the wiki as gateway.

*If the victim was a sysop, the attacker could not only bypass the
captcha protection, but also the username blacklist.

*It also provides a way to bypass the blocks and ping limit for sending
many password resets flooding its targets.

*On private wikis an account creation by targeting a sysop may expose
confidential information.

Version: 1.16.x
Severity: critical

Details

Reference
bz23371

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:04 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz23371.
Platonides created this task.May 1 2010, 8:15 PM
Platonides added a comment.May 1 2010, 8:18 PM

Fixed on r65760

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL