[pmwiki-users] New UserAuth2 release (2.1-beta4) including security fixes

ThomasP pmwikidev3 at sigproc.de
Sat Jan 3 16:29:56 CST 2009

Hello pmwiki community,

this is an announcement on a new release of the UserAuth2 recipe, which
mainly fixes two security related bugs. (and one handling bug)

Only pmwikis which had enabled and actually used cookie authentication
were vulnerable under certain circumstances (valid for both of these
bugs). Details can be found below.

The bugs would have given an attacker the possibility to login and appear
as another user (including as wiki admin) on the wiki (bug 1) or to use an
expired cookie authentication of another user (bug 2). Intrusion on server
level would not have resulted.

Upgrading the UserAuth2 recipe to version 2.1-beta4 will resolve the
issues. Upgrading is definitely recommended if cookie authentication is
enabled and

echo mt_rand(1, 0xfffffffff) . "\n";  // more than 8 "f"s

results in a single value upon repeated calling on your system.



Bug details:

1. (discovered by Olle [1])
The random numbers generated for creating the cookie key in
UserSessionVars.php were observed to be non-random on some (but not all)
systems due to usage of a too large number literal which is interpreted
during the float/int conversion both as MAX_INT on some or a negative
number on other systems. The versatility is due to the php spec on integer
conversion being open on this [2], which resulted in the bug not being
discovered during testing. The problem was solved by decreasing the max
parameter in the mt_rand call.

The cookie key stored server-sidely in the user profile was not deleted
upon logout. A wiki user using cookie authentication on a buggy or
malicious browser (which would not delete the cookie on its side upon
receiving the respective server command) might have seen his cookie
authentication stolen and used after expiry.

3. (also by Olle)
The user response on the confirmation dialog for deleting a user in the
admin tool was ignored such that deletion would always occur, also if the
user selected "No".

Files updated:

[1] http://pmichaud.com/pipermail/pmwiki-users/2008-November/052775.html

[2] http://de2.php.net/manual/de/language.types.integer.php

More information about the pmwiki-users mailing list