The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mediawiki | Mediawiki | * | 1.23.11 (including) |
| Mediawiki | Mediawiki | 1.24.0 (including) | 1.24.0 (including) |
| Mediawiki | Mediawiki | 1.24.1 (including) | 1.24.1 (including) |
| Mediawiki | Mediawiki | 1.24.2 (including) | 1.24.2 (including) |
| Mediawiki | Mediawiki | 1.24.3 (including) | 1.24.3 (including) |
| Mediawiki | Mediawiki | 1.24.4 (including) | 1.24.4 (including) |
| Mediawiki | Mediawiki | 1.25.0 (including) | 1.25.0 (including) |
| Mediawiki | Mediawiki | 1.25.1 (including) | 1.25.1 (including) |
| Mediawiki | Mediawiki | 1.25.2 (including) | 1.25.2 (including) |
| Mediawiki | Mediawiki | 1.25.3 (including) | 1.25.3 (including) |
| Mediawiki | Mediawiki | 1.26.0 (including) | 1.26.0 (including) |
| Mediawiki | Ubuntu | artful | * |
| Mediawiki | Ubuntu | precise | * |
| Mediawiki | Ubuntu | trusty | * |
| Mediawiki | Ubuntu | upstream | * |
| Mediawiki | Ubuntu | vivid | * |
| Mediawiki | Ubuntu | wily | * |
| Mediawiki | Ubuntu | yakkety | * |
| Mediawiki | Ubuntu | zesty | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- http://www.openwall.com/lists/oss-security/2015/12/21/8
- http://www.openwall.com/lists/oss-security/2015/12/23/7
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
- https://phabricator.wikimedia.org/T119309
- http://www.openwall.com/lists/oss-security/2015/12/21/8
- http://www.openwall.com/lists/oss-security/2015/12/23/7
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
- https://phabricator.wikimedia.org/T119309