Page MenuHomeMiraheze

You can impersonate a wiki requester if you manage to get the same local ID in a wiki as the requester's local ID
Closed, ResolvedPublic

Description

RequestWikiRequestViewer does a simple check to find out if the current user is the requester of the current wiki request. It simply compares their local IDs:

https://github.com/miraheze/CreateWiki/blob/d4ddc2ff2b96224c455e27d39ef24beb6d0046a7/includes/RequestWiki/RequestWikiRequestViewer.php#L127 (comment added separately)

// Second condition after the OR is the one checking if the requester is the same as the current user
if ( $permissionManager->userHasRight( $userR, 'createwiki' ) && !$userR->getBlock() || $userR->getId() == $request->requester->getId() )

This check would've been enough if the special pages were only available on CreateWikiGlobalWiki (T12011: Restrict the CreateWiki special pages and API to the global wiki), but that's not the case as of writing.

If, in a wiki, you manage to get the same local ID as the requester of a specific wiki request, you can post comments or edit the wiki request as if you were them, by going to that request's entry on Special:RequestWikiQueue on your wiki. It is very difficult to investigate successful attempts at exploiting this vulnerability.

Event Timeline

OrangeStar renamed this task from You can post comments cross-wiki if you manage to get the same local ID in a wiki as the requester's local ID to You can post comments and edit wiki requests cross-wiki if you manage to get the same local ID in a wiki as the requester's local ID.May 3 2024, 10:33

The only true fix to this is T12011, there's really no other way.

OrangeStar changed the visibility from "Custom Policy" to "Public (No Login Required)".May 12 2024, 10:04
OrangeStar changed the edit policy from "Custom Policy" to "Custom Policy".
OrangeStar renamed this task from You can post comments and edit wiki requests cross-wiki if you manage to get the same local ID in a wiki as the requester's local ID to You can impersonate a wiki requester if you manage to get the same local ID in a wiki as the requester's local ID.May 12 2024, 10:23