928470 - [media wiki] missing CSRF /wiki.mozilla.org/Special:CreateCategory

Status: RESOLVED FIXED

(Websites :: wiki.mozilla.org, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Attachment: moz4.html

Received: by 10.182.92.133 with HTTP; Fri, 18 Oct 2013 10:23:50 -0700 (PDT)
Date: Fri, 18 Oct 2013 22:53:50 +0530
Subject: Reporting vulnerabilities in your respective domain wiki.mozilla.org
From: Ravindra Singh Rathore <rsrathoreravi@gmail.com>
To: security@mozilla.org

-----//-----
Greetings

I am Ravindra Singh Rathore, a young security researcher from India. I have found one more vulnerability in your website wiki.mozilla.org. Vunerability details -

Vulnerability type - CSRF
Vulnerable url - https://wiki.mozilla.org/Special:CreateCategory
Vulnerability details - The createcategory page does not contain any csrf token that's why attacker can create categories on behalf of victim.

-- 
Regards--

Ravindra Singh Rathore
Security Researcher
mail - rsrathoreravi@gmail.com

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

assigned to stefan to confirm

Comment 2

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

Verified that CSRF is missing. You must be a logged in user to use the form though.

Comment 3

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

we need to report this to media wiki

Comment 4

[Mark A. Hershberger (hexmode)]

Adding Wikimedia's Security guy: Chris Steipp

Comment 5

[csteipp]

This is an issue in the SemanticForms extension. I'll contact those maintainers and see if they can get this addressed.

Comment 6

[Daniel Veditz [:dveditz]]

Because it's 3rd party wikimedia foundation software the wiki.mozilla.org site is not eligible for the bug bounty.

Comment 7

[csteipp]

This was fixed upstream (https://gerrit.wikimedia.org/r/#/c/103885/)

Comment 8

[Ravindra Singh]

Hello there,

I have reported nearly 10 vulnerabilities to mozilla all either duplicate or out of bounty scope. At least some token of appreciation should be given by you for our motivation.

Thanks

Comment 9

[Alison Wheeler [:AlisonW]]

Hello Ravindra.

It has already been pointed out to you that these are outwith Mozilla, being issues with MediaWiki. Also, whilst I will certainly thank you for drawing your attention to these I would note that you offered these observations of your own volition and not at our request. As such you suggestion of "some token of appreciation" is both inappropriate and self-seeking. Mozilla is a non-profit organisation and - as with the case of myself and many others - does not fund voluntary actions. It is our choice to be motivated, not Mozilla's to finance us.

I suggest you discuss the matter with MediaWiki should you consider it appropriate*.


(* as I have been involved with WMF for very many years, I could advise you that it probably isn't.)

Comment 10

[csteipp]

Hi Ravindra, I can only speak for the MediaWiki side, but the release notes I wrote gave you credit for this issue:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html

Comment 11

[Ravindra Singh]

Thanks..

Comment 12

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

since this is resolved in media wiki I am resolving this bug but not opening as I don't know the install timeline for this in our operations

Comment 14

[Gordon P. Hemsley [:GPHemsley]]

Reopening because we haven't deployed the fix on our end yet, AFAICT.

Comment 15

[Gordon P. Hemsley [:GPHemsley]]

We've upgraded the extension in question, and this appears to now be fixed.