TITLE: MediaWiki Multiple Vulnerabilities SECUNIA ADVISORY ID: SA14360 VERIFY ADVISORY: http://secunia.com/advisories/14360/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data WHERE: >From remote SOFTWARE: MediaWiki 1.x http://secunia.com/product/2546/ DESCRIPTION: Some vulnerabilities have been reported in MediaWiki, which can be exploited by malicious users to delete arbitrary files, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. 1) Some unspecified input in the link formatting isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. 2) Input passed to an unspecified parameter when deleting images isn't properly sanitised. This can be exploited by authenticated administrators to delete arbitrary files via directory traversal attacks. 3) Various actions requiring authentication can be executed via an off-site form. This can be exploited to execute various actions by tricking an authenticated user into visiting a malicious website. SOLUTION: Update to version 1.3.11. http://sourceforge.net/project/showfiles.php?group_id=34373 PROVIDED AND/OR DISCOVERED BY: Reported by vendor.
1.3.11 is currently in portage, and stable. trapni, everything below 1.3.11 should be considered vulnerable. Please remove them from the tree if it is safe to do so.
security, pls vote on GLSA need _______________________ Release info: Release Name: MediaWiki 1.3.11 Notes: = MediaWiki release notes = Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. == Version 1.3.11, 2005-02-20 == MediaWiki 1.3.11 is a security release. A security audit found and fixed a number of problems. Users of MediaWiki 1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases should upgrade to 1.4rc1. === Cross-site scripting vulnerability === XSS injection points can be used to hijack session and authentication cookies as well as more serious attacks. * Media: links output raw text into an attribute value, potentially abusable for JavaScript injection. This has been corrected. * Additional checks added to file upload to protect against MSIE and Safari MIME-type autodetection bugs. As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled by default as a general precaution. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php. === Cross-site request forgery === An attacker could use JavaScript-submitted forms to perform various restricted actions by tricking an authenticated user into visiting a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has been expanded in this release to other forms and functions. Authors of bot tools may need to update their code to include the additional fields. === Directory traversal === An unchecked parameter in image deletion could allow an authenticated administrator to delete arbitary files in directories writable by the web server, and confirm existence of files not deletable.
gimme some time until I'm back home. I'm doing it ASAP i'm arrived!
i vote no glsa.
I vote yes :)
Since this is a little more than the XSS issue from bug 80729 which we didn't issue a GLSA for, I vote yes.
GLSA should/could also talk about bug 80729
I've removed the ill ebuilds from the tree. Well, I'd vote for a GLSA, however, all 1.3.x releases are bugfix (and though, including security fixes) only. Each of them should have raised a GLSA but didn't. However, that might be because I never learned how to initiate such things ;-)
GLSA 200502-33