Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366685 (CVE-2011-1765) - <www-apps/mediawiki-1.16.5: Multiple vulnerabilities (CVE-2010-{2787,2788,2789},CVE-2011-{0003,0047,0537,1579,1580,1765,1766})
Summary: <www-apps/mediawiki-1.16.5: Multiple vulnerabilities (CVE-2010-{2787,2788,278...
Alias: CVE-2011-1765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Blocks: 316701
  Show dependency tree
Reported: 2011-05-10 04:11 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 18:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-10 04:11:39 UTC
MediaWiki 1.16.5 has been released that fixes two vulnerabilities. 


The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used on private
wikis to prevent users who have an account from logging in and viewing
content on the wiki.

For more details, see


Christian or web-apps, can we go ahead and stabilize =www-apps/mediawiki-1.16.5?
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 09:07:05 UTC
CVE-2011-1766 (
  includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is
  enabled, does not clear certain cached data after verification of an auth
  token fails, which allows remote attackers to bypass authentication by
  creating crafted wikiUserID and wikiUserName cookies, or by leveraging an
  unattended workstation.

CVE-2011-1580 (
  The transwiki import functionality in MediaWiki before 1.16.3 does not
  properly check privileges, which allows remote authenticated users to
  perform imports from any wgImportSources wiki via a crafted POST request.

CVE-2011-1579 (
  The checkCss function in includes/Sanitizer.php in the wikitext parser in
  MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets
  (CSS) token sequences, which allows remote attackers to conduct cross-site
  scripting (XSS) attacks or obtain sensitive information by using the \2f\2a
  and \2a\2f hex strings to surround CSS comments.

CVE-2011-0537 (
  Multiple directory traversal vulnerabilities in (1) languages/Language.php
  and (2) includes/StubObject.php in MediaWiki 1.8.0 and other versions before
  1.16.2, when running on Windows and possibly Novell Netware, allow remote
  attackers to include and execute arbitrary local PHP files via vectors
  related to a crafted language file and the Language::factory function.

CVE-2011-0047 (
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows
  remote attackers to inject arbitrary web script or HTML via crafted
  Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability."

CVE-2011-0003 (
  MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled,
  allows remote attackers to conduct clickjacking attacks via unspecified
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-11 09:43:30 UTC
Maintainer timed out.

Arches, please test and mark stable:

target KEYWORDS : "amd64 ppc sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-12 12:36:56 UTC
amd64 ok
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-09-12 18:55:31 UTC
x86 stable, thanks
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-09-16 12:14:30 UTC
+  16 Sep 2011; Tony Vroon <> mediawiki-1.16.5.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+  security bug #36685 filed by Tim Sammut.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2011-09-17 16:54:34 UTC
sparc stable
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-27 16:35:46 UTC
ppc stable, last arch done
Comment 8 Agostino Sarubbo gentoo-dev 2011-09-27 16:42:55 UTC
Thanks all, adding glsa vote.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 16:48:20 UTC
Thanks, folks. GLSA Vote: no.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:40:17 UTC
CVE-2010-2789 (
  PHP remote file inclusion vulnerability in MediaWikiParserTest.php in
  MediaWiki 1.16 beta, when register_globals is enabled, allows remote
  attackers to execute arbitrary PHP code via unspecified vectors.

CVE-2010-2788 (
  Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki
  before 1.15.5, when wgEnableProfileInfo is enabled, allows remote attackers
  to inject arbitrary web script or HTML via the filter parameter.

CVE-2010-2787 (
  api.php in MediaWiki before 1.15.5 does not prevent use of public caching
  headers for private data, which allows remote attackers to bypass intended
  access restrictions and obtain sensitive information by retrieving documents
  from an HTTP proxy cache that has been used by a victim.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 12:42:39 UTC
There will be a GLSA for all of this.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:19:59 UTC
This issue was resolved and addressed in
 GLSA 201206-09 at
by GLSA coordinator Stefan Behte (craig).