Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 392383 (CVE-2011-4360) - <www-apps/mediawiki-1.18.1 Information leaks (CVE-2011-{4360,4361})
Summary: <www-apps/mediawiki-1.18.1 Information leaks (CVE-2011-{4360,4361})
Alias: CVE-2011-4360
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: CVE-2012-0046
  Show dependency tree
Reported: 2011-11-29 10:52 UTC by Sean Amoss (RETIRED)
Modified: 2012-02-21 01:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-11-29 10:52:44 UTC
From announce mail at $URL:

I would like to announce the release of MediaWiki 1.17.1. Two security
issues were discovered.

Alexandre Emsenhuber discovered an issue where page titles on private
wikis could be exposed bypassing different page ids to index.php. In the
case of the user not having correct permissions, they will now be
redirected to Special:BadTitle.

For more details, see

The second issue was found by Tim Starling, who discovered that
action=ajax requests were dispatched to the relevant function without
any read permission checks being done. This could have led to data
leakage on private wikis.

For more details, see
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:32:20 UTC
CVE-2011-4361 (
  MediaWiki before 1.17.1 does not check for read permission before handling
  action=ajax requests, which allows remote attackers to obtain sensitive
  information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning
  function, or by (2) leveraging an extension, as demonstrated by the
  CategoryTree, ExtTab, and InlineEditor extensions.

CVE-2011-4360 (
  MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of
  all restricted pages via a series of requests involving the (1) curid or (2)
  oldid parameter.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-20 21:40:08 UTC
Thanks, everyone. 
GLSA vote: no.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-02-21 01:09:40 UTC
GLSA Vote: no, too, closing noglsa.