DESCRIPTION: A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to unspecified parameters in the API pretty-printing mode is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the API interface is enabled. The vulnerability is reported in the following versions: * 1.11 <= 1.11.0rc1 * 1.10 <= 1.10.1 * 1.9 <= 1.9.3 * 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on) SOLUTION: Update to version 1.11.0, 1.10.2, 1.9.4, or 1.8.5.
Setting whiteboard status and CC'ing maintainers.
According to the announce mail, versions 1.7 and earlier are also vulnerable if the BotQuery extension is enabled/installed (CVE-2007-4883). Do we ship this extension?
@tchiwam, @trapni: May I bump this to the new versions? I prepared and tested the stuff locally and would be ready to commit.
Before 1.8 it is only a problem if the extension is turned on. And we do not turn it on by default. Gunnar Wrobel, you can commit the version bumps, if they are ready and you have tested them, I think this will be the most effective as I am still on the holiday return work rush.
in case you tested it, feel free :)
thanks, guys! the new versions are in. target archs for mediawiki-1.8.5: amd64 ppc sparc x86
ppc stable
x86 stable
sparc stable
Marked stable on amd64.
B4 -> [glsa?] Please vote.
XSS is sadly way too common :( I vote NO.
Removed insecure versions from the tree. Webapps is done here.
webapp + XSS = noglsa. A webapp *has* XSS in it, that's a rule of the known universe, it's like "42". Feel free to reopen if you disagree :)