Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 483594 (CVE-2013-4301) - <www-apps/mediawiki-{1.19.8,1.20.7,1.21.2}: Multiple Vulnerabilities (CVE-2013-{4301,4302,4303,4304,4305,4306,4307,4308})
Summary: <www-apps/mediawiki-{1.19.8,1.20.7,1.21.2}: Multiple Vulnerabilities (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2013-4301
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54715/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-04 12:36 UTC by Agostino Sarubbo
Modified: 2013-11-05 02:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-04 12:36:39 UTC
From ${URL} :

Description

A weakness and multiple vulnerabilities have been reported in MediaWiki, which can be exploited by 
malicious people to disclose certain sensitive information and conduct cross-site scripting 
attacks.

1) The application discloses the full installation path in an error message when an invalid 
language is specified in ResourceLoader.

2) An error within the "tokens", "unblock", "login", "createaccount", and "block" API calls can be 
exploited to disclose the CSRF token value.

3) Input passed via the "siprop" GET/POST parameter to wiki/api.php (when "action" is set to 
"query", "meta" is set to "siteinfo", and "format" is set to "json") is not properly sanitised 
before being returned to the user. This can be exploited to execute arbitrary HTML and script code 
in a user's browser session in context of an affected site.

The weakness and vulnerabilities are reported in versions prior to 1.21.2, 1.20.7, and 1.19.8.


Solution:
Update to version 1.21.2, 1.20.7, or 1.19.8.

Provided and/or discovered by:
2) Reported by the vendor.

The vendor credits:
1) Mozilla.
3) Andreas Peetz.

Original Advisory:
MediaWiki:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2013-09-04 17:43:09 UTC
Ebuilds have already been bumped.

Arches, please stabilize:
=www-apps/mediawiki-1.19.8
=www-apps/mediawiki-1.20.7
=www-apps/mediawiki-1.21.2
Comment 2 Agostino Sarubbo gentoo-dev 2013-09-04 18:17:38 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-04 18:17:49 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-04 18:18:00 UTC
amd64 stable
Comment 5 Chris Reffett gentoo-dev Security 2013-09-11 05:28:57 UTC
GLSA vote: no.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-09-13 15:50:31 UTC
CVE-2013-4308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4308):
  Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in
  the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x
  before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote
  attackers to inject arbitrary web script or HTML via a thread subject.

CVE-2013-4307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4307):
  Multiple cross-site scripting (XSS) vulnerabilities in
  repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x
  before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1)
  remote attackers to inject arbitrary web script or HTML via a label in the
  "In other languages" section or (2) remote administrators to inject
  arbitrary web script or HTML via a description.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:43 UTC
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:21:49 UTC
CVE-2013-4302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4302):
  (1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4)
  ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7)
  ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x
  before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain
  CSRF tokens and bypass the cross-site request forgery (CSRF) protection
  mechanism via a JSONP request to wiki/api.php.

CVE-2013-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4301):
  includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before
  1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote
  attackers to obtain sensitive information via a "<" (open angle bracket)
  character in the lang parameter to w/load.php, which reveals the
  installation path in an error message.