Page MenuHomePhabricator
Create Task
Maniphest T48590

Extensions can't fully block password changes
Closed, ResolvedPublic
Actions

Assigned To
None
Authored By
RyanLane
Mar 27 2013, 5:12 AM
Tags
Referenced Files
F10469: 46590_119_git.patch
Nov 22 2014, 1:21 AM
F10468: AbortChangePassword.patch
Nov 22 2014, 1:21 AM
F10467: AbortChangePassword.patch
Nov 22 2014, 1:21 AM
Subscribers
Aklapper
Catrope
DanielFriesen
demon
Luke081515
Reedy
RobLa-WMF
View All 10 Subscribers

Description

Special:PasswordReset can block password changes using the AbortLogin hook, and Special:ChangePassword can block password changes via $wgAuth->authenticate. The combination of these two approaches can work, but some extensions only implement one method or the other (and in some cases shouldn't implement both).

Lack of a consistent method for handling this leads to unexpected situations where a password can be changed, even though the extension author feels they are blocking it.

A hook should be added to Special:ChangePassword for this functionality.

Version: unspecified
Severity: normal

Details

Reference
bz46590

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:21 AM
bzimport added projects: MW-1.20-release, MediaWiki-User-login-and-signup.
bzimport set Reference to bz46590.
bzimport added a subscriber: Unknown Object (MLST).
RyanLane created this task.Mar 27 2013, 5:12 AM
RyanLane added a comment.Mar 27 2013, 5:17 AM

Patch to add AbortChangePassword hook

Patch still needs proper testing. Submitting for feedback.

Attached:

AbortChangePassword.patch4 KBDownload

RyanLane added a comment.Mar 27 2013, 4:07 PM

Updated and tested patch

One minor fix in patch. Has been tested and is working.

Attached:

AbortChangePassword.patch4 KBDownload

csteipp added a comment.Mar 27 2013, 6:21 PM

Patch looks fine to me. I don't think the bug this fixes effects security (unless I'm missing something?), so I think we should make it public, put it in gerrit, and make sure other developers are on board with it.

csteipp added a comment.Mar 27 2013, 8:58 PM

This bug does allow for two-factor authentication (OATHAuth) to be bypassed by doing a password reset, if the attacker also has access to the victim's email.

This doesn't affect the cluster, so no need to patch there, but we'll add this to the next security release.

csteipp added a comment.Apr 30 2013, 4:01 PM

Created attachment 12210
patch for 1.19

Attached:

46590_119_git.patch4 KBDownload

gerritbot added a comment.Apr 30 2013, 8:17 PM

Related URL: https://gerrit.wikimedia.org/r/61631 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.Apr 30 2013, 8:53 PM

Related URL: https://gerrit.wikimedia.org/r/61641 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.Apr 30 2013, 8:58 PM

Related URL: https://gerrit.wikimedia.org/r/61644 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.May 4 2013, 5:07 AM

Related URL: https://gerrit.wikimedia.org/r/62216 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 5:58 PM
Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 28 2016, 5:58 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits
  NODES
Bugs 1
Note 1
Project 4