oss-sec mailing list archives
CVE Request: MediaWiki 1.15.3 -- Login CSRF
From: Reed Loden <reed () reedloden com>
Date: Tue, 6 Apr 2010 20:26:38 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, MediaWiki 1.15.3 was just (20 min. ago) released[0] to fix a CSRF issue [1] in the login process, so need a CVE assigned to track the problem. ============ MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password. Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible. Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount. ============ Regards, ~reed [0] http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 - -- Reed Loden - <reed () reedloden com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAku7304ACgkQa6IiJvPDPVozkQCgv4DUtGwOzEgDY0m+/dNXbO/t LIQAnj7OdyY8THs+KjSbwRgri0O8Kbu1 =lq2I -----END PGP SIGNATURE-----
Current thread:
- CVE Request: MediaWiki 1.15.3 -- Login CSRF Reed Loden (Apr 06)
- Re: CVE Request: MediaWiki 1.15.3 -- Login CSRF Josh Bressers (Apr 07)