Liangent reported the following vulnerability:
- Set $wgBlockDisablesLogin = true; in LocalSettings.php
- Make sure you're logged out in MediaWiki
- Set the wikiUserID and wikiUserName cookies to match those of a sysop
- Visit a sysop-only special page such as Special:BlockIP
- The special page will let you do whatever you want, because you have all the rights of the user whose cookies you forged, despite being an anon according to the user tools section
The following things happen in User::loadFromSession():
- $this->mId is set to the user ID from the forged cookie (line 900)
- isBlocked() is called (line 907), which calls getBlockedStatus() which calls isAllowed( 'ipblock-exempt' ) (line 1116), which calls getRights(), which fills the $this->mRights cache with the rights of the targeted user
- When the auth token mismatches, loadDefault() is called, but it doesn't clear the $this->mRights cache
The soon-to-be-attached patch fixes this by moving the auth token check up to before the blocked status check. An alternative fix would be to call clearInstanceCache( 'defaults' ) instead of loadDefault(), but I think this makes more sense.
Version: unspecified
Severity: critical