Page MenuHomePhabricator
Create Task
Maniphest T42962

CentralAuth Session Fixation
Closed, ResolvedPublic
Actions

Description

CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value.

[0] - https://www.owasp.org/index.php/Session_fixation

If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.

Version: unspecified
Severity: normal

Details

Reference
bz40962

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:13 AM
bzimport added projects: MW-extension-1.21-version, MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz40962.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Oct 11 2012, 4:04 PM
csteipp added a comment.Oct 19 2012, 12:47 AM

Attachment on bug 40747 (http://bug-attachment.wikimedia.org/attachment.cgi?id=11200) fixes this

csteipp added a comment.Oct 25 2012, 10:02 PM

Using CVE-2012-5395 to track this

csteipp added a comment.Nov 13 2012, 11:32 PM

Created attachment 11353
Generate new Session ID for CentralAuth on login

Attached:

CA_40962.patch2 KBDownload

tstarling added a comment.Nov 14 2012, 10:02 PM

The patch looks good.

duplicatebug added a comment.Dec 1 2012, 9:46 AM

Merged gerrit 36094 links here, bug maybe resolved

Aklapper edited projects, added MW-1.21-release; removed MW-extension-1.21-version.Dec 19 2014, 8:17 PM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 6:01 PM
csteipp added a project: Vuln-Authn/Session.Aug 20 2015, 9:56 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:13 PM
Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 28 2016, 6:13 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL