Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 165551

Summary: www-apps/mediawiki < 1.9.2 Sortable Table Feature HTML Injection Vulnerability
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: tchiwam, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/bid/22395/info
Whiteboard:
Package list:
Runtime testing required: ---

Description Executioner 2007-02-06 02:52:10 UTC 
MediaWiki is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

MediaWiki versions 1.9.0 prior to 1.9.2 are vulnerable to this issue. 

Reproducible: Didn't try




http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_2/phase3/RELEASE-NOTES
Comment 1 Philippe Trottier (RETIRED) gentoo-dev 2007-02-08 10:11:54 UTC 
1.9.2 is now commited, I was simply waiting for the tar ball to be present and confirm it's md5.
Comment 2 Philippe Trottier (RETIRED) gentoo-dev 2007-02-08 10:12:46 UTC 
Note 2, please check that 1.8.x is really affected, as there is not metion of this for those versions.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-09 15:02:57 UTC 
1.8 is not known to be vulnerable, closing