Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 392383 (CVE-2011-4360)

Summary: <www-apps/mediawiki-1.18.1 Information leaks (CVE-2011-{4360,4361})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: trapni, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 398687    
Bug Blocks:    

Description Sean Amoss (RETIRED) gentoo-dev Security 2011-11-29 10:52:44 UTC 
From announce mail at $URL:

I would like to announce the release of MediaWiki 1.17.1. Two security
issues were discovered.

Alexandre Emsenhuber discovered an issue where page titles on private
wikis could be exposed bypassing different page ids to index.php. In the
case of the user not having correct permissions, they will now be
redirected to Special:BadTitle.

For more details, see
https://bugzilla.wikimedia.org/show_bug.cgi?id=32276

The second issue was found by Tim Starling, who discovered that
action=ajax requests were dispatched to the relevant function without
any read permission checks being done. This could have led to data
leakage on private wikis.

For more details, see
https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:32:20 UTC 
CVE-2011-4361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4361):
  MediaWiki before 1.17.1 does not check for read permission before handling
  action=ajax requests, which allows remote attackers to obtain sensitive
  information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning
  function, or by (2) leveraging an extension, as demonstrated by the
  CategoryTree, ExtTab, and InlineEditor extensions.

CVE-2011-4360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4360):
  MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of
  all restricted pages via a series of requests involving the (1) curid or (2)
  oldid parameter.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-20 21:40:08 UTC 
Thanks, everyone. 
GLSA vote: no.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-02-21 01:09:40 UTC 
GLSA Vote: no, too, closing noglsa.