Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 82954 - www-apps/MediaWiki: Multiple Vulnerabilities
Summary: www-apps/MediaWiki: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B4? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-22 06:34 UTC by Aarni Honka
Modified: 2005-02-28 12:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2005-02-22 06:34:01 UTC
TITLE:
MediaWiki Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA14360

VERIFY ADVISORY:
http://secunia.com/advisories/14360/

CRITICAL:
Less critical

IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data

WHERE:
>From remote

SOFTWARE:
MediaWiki 1.x
http://secunia.com/product/2546/

DESCRIPTION:
Some vulnerabilities have been reported in MediaWiki, which can be
exploited by malicious users to delete arbitrary files, and by
malicious people to conduct cross-site scripting attacks and bypass
certain security restrictions.

1) Some unspecified input in the link formatting isn't properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of a vulnerable site.

2) Input passed to an unspecified parameter when deleting images
isn't properly sanitised. This can be exploited by authenticated
administrators to delete arbitrary files via directory traversal
attacks.

3) Various actions requiring authentication can be executed via an
off-site form. This can be exploited to execute various actions by
tricking an authenticated user into visiting a malicious website.

SOLUTION:
Update to version 1.3.11.
http://sourceforge.net/project/showfiles.php?group_id=34373

PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-22 06:38:13 UTC
1.3.11 is currently in portage, and stable.

trapni, everything below 1.3.11 should be considered vulnerable.  Please remove them from the tree if it is safe to do so.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-23 12:34:14 UTC
security, pls vote on GLSA need

_______________________

Release info:

Release Name: MediaWiki 1.3.11

Notes:
= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.

== Version 1.3.11, 2005-02-20 ==

MediaWiki 1.3.11 is a security release.

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.


=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.


=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the
additional fields.


=== Directory traversal ===

An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.


Comment 3 Christian Parpart (RETIRED) gentoo-dev 2005-02-23 15:47:32 UTC
gimme some time until I'm back home. I'm doing it ASAP i'm arrived!
Comment 4 Luke Macken (RETIRED) gentoo-dev 2005-02-23 17:24:42 UTC
i vote no glsa.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-24 03:07:44 UTC
I vote yes :)
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-24 03:32:10 UTC
Since this is a little more than the XSS issue from bug 80729 which we didn't issue a GLSA for, I vote yes.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-24 04:10:15 UTC
GLSA should/could also talk about bug 80729
Comment 8 Christian Parpart (RETIRED) gentoo-dev 2005-02-24 06:32:24 UTC
I've removed the ill ebuilds from the tree.
Well, I'd vote for a GLSA, however, all 1.3.x releases are 
bugfix (and though, including security fixes) only. 
Each of them should have raised a GLSA but didn't.
However, that might be because I never learned how 
to initiate such things ;-)
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 12:59:00 UTC
GLSA 200502-33