Wikimedia Foundation OATHAuth Two-Factor Authentication Reauthentication Bypass Vulnerability

A vulnerability exists in the Wikimedia Foundation OATHAuth extension, specifically in versions prior to 1.39.14, 1.43.4, and 1.44.1. The issue allows users to bypass the reauthentication requirement when enabling two-factor authentication (2FA). This is achieved by submitting a POST request to the OATH management page, exploiting a flaw in the reauthentication logic that does not apply to POST requests.

Impact

Bypassing the reauthentication requirement can lead to unauthorized users enabling two-factor authentication on their accounts, potentially causing account lockout or other access issues.

Reproduction

To reproduce this vulnerability, navigate to the Special:Manage_Two-factor_authentication page. Click 'Enable' for the TOTP module, which will prompt a reauthentication screen. Instead of entering a password, use the browser console to replace the 'Enable' button with a form that submits a POST request to the same URL. After submitting the form, the 2FA setup screen will appear without the need for reauthentication.

Remediation

Users should update to OATHAuth versions 1.39.14, 1.43.4, or 1.44.1, where this vulnerability has been addressed.