Re: CVE Request: MediaWiki 1.15.3 -- Login CSRF

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-1150 for this.

Thanks

-- 
    JB


----- "Reed Loden" <reed () reedloden com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> MediaWiki 1.15.3 was just (20 min. ago) released[0] to fix a CSRF
> issue
> [1] in the login process, so need a CVE assigned to track the
> problem.
>
> ============
> MediaWiki was found to be vulnerable to login CSRF. An attacker who
> controls a user account on the target wiki can force the victim to
> log
> in as the attacker, via a script on an external website. If the wiki
> is
> configured to allow user scripts, say with "$wgAllowUserJs = true" in
> LocalSettings.php, then the attacker can proceed to mount a
> phishing-style attack against the victim to obtain their password.
>
> Even without user scripting, this attack is a potential nuisance, and
> so
> all public wikis should be upgraded if possible.
>
> Our fix includes a breaking change to the API login action. Any
> clients
> using it will need to be updated. We apologise for making such a
> disruptive change in a minor release, but we feel that security is
> paramount.
> ============
>
> Regards,
> ~reed
>
> [0]
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
>
> - -- 
> Reed Loden - <reed () reedloden com>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAku7304ACgkQa6IiJvPDPVozkQCgv4DUtGwOzEgDY0m+/dNXbO/t
> LIQAnj7OdyY8THs+KjSbwRgri0O8Kbu1
> =lq2I
> -----END PGP SIGNATURE-----

-- 
    JB