#511 Authentication cookie identical across all wikis on a host

User_Authentication
closed
Reini Urban
9
2012-10-11
2005-10-21
Matt Brown
No

Reported in the Debian BTS as #282565, see
http://bugs.debian.org/282565

The cookie used to hold authentication information
appears to be the same for all wikis on a given host,
even if the wiki names differ.

This is something of a security issue if you have
multiple wikis on a single host, where the wikis have
different access restrictions, as
you can log in on one wiki where you have access, and
then move over to any other wiki on the same host and
make edits, even if you could not have logged in to
that other wiki.

I have prepared a patch that addresses this issue by
prepending a sanitised version of WIKI_NAME to the auth
cookie name. This patch will be applied to the Debian
packages until it is merged upstream.

Thanks

Matt

Discussion

  • Matt Brown
    Matt Brown
    2005-10-21

    Set auth cookie name based on WIKI_NAME

     
  • Matt Brown
    Matt Brown
    2005-10-21

    Logged In: YES
    user_id=589791

    Raised priority due to security issues

     
  • Reini Urban
    Reini Urban
    2006-03-19

    Logged In: YES
    user_id=13755

    Fixed in current CVS. Thanks.
    This will cause an 1.3.12p3 hotfix release.

    Or I will get the pending semantic link problems fixed soon
    enough.