oss-sec mailing list archives
CVE request: mediawiki before 1.17.1
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 29 Nov 2011 11:12:17 +0100
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html From announce mail: ------------- I would like to announce the release of MediaWiki 1.17.1. Two security issues were discovered. Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 The second issue was found by Tim Starling, who discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32616 ------------------------ Please assign two CVEs. -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Attachment:
signature.asc
Description:
Current thread:
- CVE request: mediawiki before 1.17.1 Hanno Böck (Nov 29)
- Re: CVE request: mediawiki before 1.17.1 Kurt Seifried (Nov 29)