Page MenuHomePhabricator
Create Task
Maniphest T53603

SUL2 possibly mixing up user sessions
Closed, ResolvedPublic
Actions

Description

This seems like a possible security problem:

https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#New_Single_User_Login_system.2C_login_success_page_going_away

Quoting:
This system is buggy. I own the SUL account "Stefan2", but other people own my username locally on Commons and two language editions of Wikipedia, and the accounts on those three projects are not attached to SUL (see sulutil:Stefan2). If I go to Commons, the new SUL system partially logs me in to the local Stefan2 account on Commons: Commons:Special:Preferences tells that I'm not logged in, but the links at the top say that I'm logged in. The user name, Special:Contributions link and "log out" links are all there. Also, the interface is partially in English, partially in German. I'm guessing that the one who set the interface to German was the guy who owns the user name on Commons. I don't know whether I can access any private data other than the language setting, and I don't know whether any edits would be attributed to my IP address or to Commons:User:Stefan2. In any case, things seem to be wrong, and there may be security issues with this. Screenshot: http://i.imgur.com/TvwRbSE.png

Version: unspecified
Severity: major

Details

Reference
bz51603

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 1:44 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz51603.
TheDJ created this task.Jul 18 2013, 1:19 PM
Anomie added a comment.Jul 18 2013, 2:32 PM

I don't think this is a security issue, the only thing that is confused into thinking you're logged in is the "replace the p-personal bar" script. It's also a minimal data leak, as all that's leaked is what can be directly gleaned from the p-personal bar: the user's language setting and whether they have any unread Echo notifications.

I have a patch all set to fix this, now I'm mainly waiting for this morning's Gerrit maintenance to finish and for someone else to be around who can review it. Then we'll grab a maintenance window and deploy the fix.

Anomie added a comment.Jul 18 2013, 3:49 PM

Gerrit change 74369 has been uploaded and merged, and is in the process of being deployed to WMF wikis as I write this. So I'm going to mark this as fixed now.

Aklapper added a comment.Jul 18 2013, 5:49 PM

Brad: Once again thanks for the quick help, analysis, and fix! Appreciated.

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:59 PM
csteipp added a project: Vuln-Authn/Session.Aug 20 2015, 9:56 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Aklapper removed subscribers: Anomie, werdna.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL