Summary: | www-apps/MediaWiki: Multiple Vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aarni Honka <aarni.honka> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | trapni |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://sourceforge.net/project/shownotes.php?release_id=307067 | ||
Whiteboard: | B4? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Aarni Honka
2005-02-22 06:34:01 UTC
1.3.11 is currently in portage, and stable. trapni, everything below 1.3.11 should be considered vulnerable. Please remove them from the tree if it is safe to do so. security, pls vote on GLSA need _______________________ Release info: Release Name: MediaWiki 1.3.11 Notes: = MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. == Version 1.3.11, 2005-02-20 == MediaWiki 1.3.11 is a security release. A security audit found and fixed a number of problems. Users of MediaWiki 1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases should upgrade to 1.4rc1. === Cross-site scripting vulnerability === XSS injection points can be used to hijack session and authentication cookies as well as more serious attacks. * Media: links output raw text into an attribute value, potentially abusable for JavaScript injection. This has been corrected. * Additional checks added to file upload to protect against MSIE and Safari MIME-type autodetection bugs. As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled by default as a general precaution. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php. === Cross-site request forgery === An attacker could use JavaScript-submitted forms to perform various restricted actions by tricking an authenticated user into visiting a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has been expanded in this release to other forms and functions. Authors of bot tools may need to update their code to include the additional fields. === Directory traversal === An unchecked parameter in image deletion could allow an authenticated administrator to delete arbitary files in directories writable by the web server, and confirm existence of files not deletable. gimme some time until I'm back home. I'm doing it ASAP i'm arrived! i vote no glsa. I vote yes :) Since this is a little more than the XSS issue from bug 80729 which we didn't issue a GLSA for, I vote yes. GLSA should/could also talk about bug 80729 I've removed the ill ebuilds from the tree. Well, I'd vote for a GLSA, however, all 1.3.x releases are bugfix (and though, including security fixes) only. Each of them should have raised a GLSA but didn't. However, that might be because I never learned how to initiate such things ;-) GLSA 200502-33 |