brion(a)svn.wikimedia.org schreef:
Revision: 27514
Author: brion
Date: 2007-11-15 04:24:49 +0000 (Thu, 15 Nov 2007)
Log Message:
-----------
Revert r27151 -- allows session fixation attacks.
Just get a user to visit a URL with the user ID and token you like in the query string
(say, in an <img> referenced in a page you convince them to go to or post for their
review) and their login session will be replaced with the one you provided.
I don't see how this is bad: you can try and trick another user into
doing something *logged in as you*, so it will appear as if *you* did
it. Why not do it yourself if it's gonna be logged under your name
anyway? Besides, this login session substitution only works for the API:
the UI completely ignores the lg* stuff, and your cookies aren't
overwritten. Now if this provided a way for a non-sysop to trick a sysop
into deleting an article, I would acknowledge that that's a security
issue. I don't see the issue here, however: the delete, or whatever it
is you're trying to do, is gonna be logged with the attacker's name,
checked against the attacker's permissions, etc. Also, the session is
not really a session: the API doesn't spit out any cookies outside of
the login module (that I'm aware of, anyway).
I fail to see the security issue here.
Roan Kattouw (Catrope)