Author: marooned
Description:
patch fixes mentioned issue
If you make a post to api.php with something like "action=login&lgname=TestUser&lgpassword=gotcha" the api responds with a NeedToken error, inside the error message the current session is included... so you can trick the api into telling you what the sessionid is to bypass httponly and get access to the user's login session.
On wiki farm (like Wikia) an evil admin could alter common.js to run this POST request via AJAX for every logged in user that enters his wiki - having sessions he would be able to log in as any visitor of his wiki by creating proper cookie.
Simple patch attached - for case LoginForm::NEED_TOKEN do not return sessionid.
Version: unspecified
Severity: major
Attached: