CVE-2015-6728 in MediaWiki
Summary
by MITRE
The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/10/2018
The vulnerability identified as CVE-2015-6728 resides within the MediaWiki platform's ApiBase::getWatchlistUser function, affecting versions prior to 1.23.10, 1.24.3, and 1.25.2 across their respective release lines. This flaw represents a critical security weakness that undermines the platform's cross-site request forgery protection mechanisms, creating opportunities for unauthorized users to manipulate watchlist functionality. The vulnerability specifically targets the token comparison process used to validate user requests, introducing a timing attack vector that can be exploited by remote adversaries. This issue demonstrates a fundamental flaw in how the system handles authentication tokens, where the comparison operation does not execute in constant time regardless of input values.
The technical implementation of this vulnerability stems from the use of non-constant time string comparison functions within the watchlist token validation process. When the system compares the provided token against the expected value, it does not perform the comparison in a manner that takes equal time regardless of whether the first few characters match or not. This timing difference creates measurable variations in execution time that can be exploited through statistical analysis and repeated requests to gradually deduce the correct token value. The flaw aligns with CWE-203, which specifically addresses the exposure of sensitive information through timing discrepancies, and represents a classic example of a timing side-channel attack. Attackers can leverage this vulnerability to bypass CSRF protection by systematically guessing valid watchlist tokens through repeated timing measurements, ultimately gaining unauthorized access to user watchlist data and potentially performing unauthorized actions on behalf of users.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables attackers to manipulate user watchlist entries and potentially escalate privileges within the MediaWiki environment. The ability to bypass CSRF protection means that malicious actors could perform actions such as adding or removing pages from user watchlists, which could be used for social engineering or to disrupt normal user operations. This vulnerability particularly affects collaborative platforms where users rely on watchlists for tracking content changes, making it a significant concern for organizations running MediaWiki instances. The timing attack approach requires minimal privileges and can be automated, making it a particularly dangerous vulnerability that can be exploited at scale. The vulnerability also demonstrates weaknesses in the platform's security architecture, where token validation mechanisms are not properly hardened against timing-based attacks, potentially exposing other similar functions within the system to similar risks.
Organizations running affected MediaWiki versions should immediately implement the available patches that address the constant-time comparison issue in the ApiBase::getWatchlistUser function. The recommended mitigations include upgrading to the patched versions 1.23.10, 1.24.3, and 1.25.2 respectively, which implement proper constant-time string comparison algorithms such as those found in the sodium library or similar cryptographic libraries. Security teams should also consider implementing additional monitoring for suspicious API access patterns and token guessing attempts, as the vulnerability may be detectable through anomalous timing behavior in system logs. The ATT&CK framework categorizes this vulnerability under T1212, which addresses exploitation of information disclosures through timing attacks, and organizations should consider this when developing their incident response procedures and security monitoring capabilities. Additionally, administrators should review their overall security posture and ensure that all cryptographic operations within the MediaWiki environment use constant-time comparison functions to prevent similar vulnerabilities from emerging in other components.