Author: olaf
Description:
This is a security-related bug in the Extension:NetworkAuth.
The problem is that the extension does not to match IP ranges correctly and thus authenticates IP addresses that do not belong to the specified IP range.
Both the IP address that the extension gets via wfGetIP() and the IP range that is specified in LocalSettings.php are transformed to hex numbers via IP::toHex(). Afterwards the obtained IP adress is compared to the range to determine whether the address is in the range.
Here is the somewhat simplified code. parsedRange is an array containing the lower and upper limits of the range.
$ip = wfGetIP();
$hex = IP::toHex( $ip );
if ( $hex >= IP::toHex( $parsedRange[0] )
&& $hex <= IP::toHex( $parsedRange[1] ))
{
- authenticate user
}
Unfortunately, the function IP::toHex() does *not* return a hex number, but a string containing the hex digits (e.g. IP::toHex("46.115.22.119") -> "2E771673") *without* the leading "0x". This works fine in most cases, as the string is implicitly typecast to a number and compared afterwards.
However, in the case that the string of the IP range contains only decimal digits (e.g. IP::toHex("129.69.120.0") -> "81457800"), this fails spectacularly, as in the one case, it interprets the string as a hex number, and in the other case as a dec number. In the above case, this means that
IP::toHex("46.115.22.119") > IP::toHex("129.69.120.0") == true
This bug report is made problematic by the fact that at the moment I cannot even find the current code of the extension, as all "Download" links on
http://www.mediawiki.org/wiki/Extension:NetworkAuth
seem to be broken. I am willing to provide a patch when anyone can tell me where to find the repo containing the current code of the extension.
Version: unspecified
Severity: critical
URL: http://www.mediawiki.org/wiki/Extension:NetworkAuth