Page MenuHomePhabricator
Create Task
Maniphest T54338

CentralAuth can allow logging in as any user, no password needed
Closed, ResolvedPublic
Actions

Description

I was testing change 76829, and I noticed that the JS check was firing on Special:UserLogout and logging me right back in. I investigated to see why, and discovered two bugs, that individually seem like nothing to worry about but combined allow someone to log in on any SUL wiki except loginwiki as any attached SUL user without having to supply a password.

#1 is that CentralAuthHooks::onUserLoadFromSession leaves a valid CentralAuthUser object for the user named in the centralauth_User cookie cached on the User object, even when the centralauth_Token doesn't match.

#2 is that Special:CentralAutoLogin assumes that CentralAuthUser::getInstance doesn't return a valid CentralAuthUser when the User isn't logged in. Which would normally be the case, except for bug #1.

Fixing either bug prevents the security hole. I'll attach a patch momentarily to fix both of them.

Version: master
Severity: blocker

Details

Reference
bz52338

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:08 AM
bzimport added projects: MW-extension-1.22-version, MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz52338.
bzimport added a subscriber: Unknown Object (MLST).
Anomie created this task.Jul 31 2013, 7:27 PM
Anomie added a comment.Jul 31 2013, 7:28 PM

Created attachment 13033
Patch to fix both bugs

attachment diff ignored as obsolete

Anomie added a comment.Jul 31 2013, 8:26 PM

Created attachment 13038
Patch to fix both bugs

Add another small fix requested by Chris.

Attached:

diff3 KBDownload

csteipp added a comment.Jul 31 2013, 10:18 PM

Fix deployed (along with an unrelated change)
22:14 logmsgbot: csteipp synchronized php-1.22wmf12/extensions/CentralAuth 'eventlogging patch'

We'll release publicly as part of the next security release.

csteipp added a comment.Sep 5 2013, 5:02 PM

This was assigned CVE-2013-4304

Legoktm edited projects, added MW-1.22.0-release; removed MW-extension-1.22-version.Dec 16 2014, 7:07 PM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:59 PM
csteipp added a project: Vuln-Authn/Session.Aug 20 2015, 9:57 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list, werdna.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL