Description
Its possible to change the wiki user data base using GET request. HTTP protocol require that any operation changing the data base should use POST.
Steps to reproduce
Try this link: http://moinmoin.wikiwikiweb.de/?action=userform&save=Save&name=Foo&password=Foo&password2=Foo&email=foo@example.com
Details
This wiki
Workaround
Discussion
An attacker can use this to create thousands or accounts. A spamer can use this to create accounts quickly to bypass the common "let only users edit" security.
- A spammer can use POST to accomplish that as well ...
As a side effect, all the user settings are zeroed when accessing without the proper form parameters. Using random uids, an attacker can delete some user settings if he try many times.
Here is a patch, I'm not sure it does not break other code.
1 * looking for arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-123 to compare with
2 * comparing to arch@arch.thinkmo.de--2003-archives/moin--main--1.5--patch-123
3 M MoinMoin/wikiaction.py
4
5 * modified files
6
7 --- orig/MoinMoin/wikiaction.py
8 +++ mod/MoinMoin/wikiaction.py
9 @@ -729,9 +729,16 @@
10
11
12 def do_userform(pagename, request):
13 - from MoinMoin import userform
14 - savemsg = userform.savedata(request)
15 - Page(request, pagename).send_page(request, msg=savemsg)
16 + _ = request.getText
17 + # Require POST for anyting that can change user data
18 + if (request.request_method != 'POST' and
19 + 'create' in request.form or 'save' in request.form):
20 + msg = _("Use UserPreferences to change your settings or create "
21 + "an account.")
22 + else:
23 + from MoinMoin import userform
24 + msg = userform.savedata(request)
25 + Page(request, pagename).send_page(request, msg=msg)
26
27 def do_bookmark(pagename, request):
28 if request.form.has_key('time'):
Maybe its better to do that in userform.py, which define the form names "save" and "create".
Plan
- Priority:
Assigned to: ThomasWaldmann
- Status: fixed in moin--main--1.5--patch-208