Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261128 (CVE-2009-0737) - <www-apps/mediawiki-1.13.5 XSS in installer script (CVE-2009-0737)
Summary: <www-apps/mediawiki-1.13.5 XSS in installer script (CVE-2009-0737)
Status: RESOLVED FIXED
Alias: CVE-2009-0737
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Christian Parpart (RETIRED)
URL: http://lists.wikimedia.org/pipermail/...
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-04 05:51 UTC by Patrick
Modified: 2009-05-22 17:36 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick 2009-03-04 05:51:12 UTC 
MediaWiki 1.13.5 ("bugfix release" for the 1.13.x branch) has been released on 2009-02-22.

Reproducible: Always
Comment 1 Petteri Räty (RETIRED) gentoo-dev 2009-03-04 11:03:45 UTC 
According to the release notes the installer we currently have in stable has security issues. This does not effect live installs of course as it's deleted after setup. Of course one shouldn't be exposing the installer to the public in the first place but best for security to take a look.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-04-05 15:04:28 UTC 
CVE-2009-0737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0737):
  Multiple cross-site scripting (XSS) vulnerabilities in the web-based
  installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12
  before 1.12.4, and 1.13 before 1.13.4, when the installer is in
  active use, allow remote attackers to inject arbitrary web script or
  HTML via unspecified vectors.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2009-04-07 15:41:30 UTC 
1.13.5 was added to the tree.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-07 15:43:00 UTC 
I vote NO. The installer script should be removed after install, this is explicit in the postinst output.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-07 15:58:58 UTC 
NO too, closing.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2009-04-10 16:45:54 UTC 
Um, although I agree with noglsa we missed stabilize step. Arch teams please stabilize this package.
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2009-04-10 16:46:36 UTC 
Target keywords:
=www-apps/mediawiki-1.13.5: amd64 ppc sparc x86
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-04-10 16:51:30 UTC 
(In reply to comment #6)
> Um, although I agree with noglsa we missed stabilize step. Arch teams please
> stabilize this package.

oh, sorry :~/
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-04-10 18:36:33 UTC 
(In reply to comment #7)
> Target keywords:
> =www-apps/mediawiki-1.13.5: amd64 ppc sparc x86
> 

well, at least 1.14.0 needs php build with +spl. please check.
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2009-04-22 16:57:47 UTC 
(In reply to comment #9)
> well, at least 1.14.0 needs php build with +spl. please check.

Thank you Tobias. Added.
Comment 11 Markus Meier gentoo-dev 2009-04-23 19:57:21 UTC 
amd64/x86 stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-04-27 00:22:29 UTC 
ppc done
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-05-09 15:57:36 UTC 
sparc stable
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 17:36:45 UTC 
[noglsa] now.