oss-sec mailing list archives
Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 31 Aug 2012 11:51:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2012 08:34 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, multiple security flaws were corrected in recent (1.19.2, and 1.18.5) versions of MediaWiki, a wiki engine:
Top posting and in line: CVE-2012-4377 Stored XSS via a File::link to a non-existing image CVE-2012-4378 Multiple DOM-based XSS flaws due improper filtering of uselang parameter CVE-2012-4379 CSRF tokens, available via API, not protected when X-Frame-Options headers used CVE-2012-4380 Did not prevent account creation for IP addresses blocked with GlobalBlocking CVE-2012-4381 Password saved always to the local MediaWiki database CVE-2012-4382 Metadata about blocks
1) Stored XSS via a File::link to a non-existing image Upstream bug: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700 Upstream patch against the 1.19 version: [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11 Upstream patch against the 1.18 version: [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12 References: [4] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [6] https://bugzilla.redhat.com/show_bug.cgi?id=853409
Please use CVE-2012-4377 for this issue.
2) Multiple DOM-based XSS flaws due improper filtering of uselang parameter in combination with JS gadgets Upstream bug: [7] https://bugzilla.wikimedia.org/show_bug.cgi?id=37587 Relevant upstream patch: [8] https://gerrit.wikimedia.org/r/#/c/13336/ References: [9] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [10] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [11] https://bugzilla.redhat.com/show_bug.cgi?id=853417
Please use CVE-2012-4378 for this issue.
3) CSRF tokens, available via API, not protected when X-Frame-Options headers used Upstream bug: [12] https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 Relevant upstream patch: [13] https://gerrit.wikimedia.org/r/#/c/20472/ References: [14] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [15] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [16] https://bugzilla.redhat.com/show_bug.cgi?id=853426
Please use CVE-2012-4379 for this issue.
4) Did not prevent account creation for IP addresses blocked with GlobalBlocking Upstream bug: [17] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824 Upstream patch against the 1.18 version: [18] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0 References: [19] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [20] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [21] https://bugzilla.redhat.com/show_bug.cgi?id=853440
Please use CVE-2012-4380 for this issue.
5) Password saved always to the local MediaWiki database and possibility to use old passwords for non-existing accounts in the external auth system Upstream bug: [22] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184 Upstream patch: [23] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1 References: [24] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [25] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [26] https://bugzilla.redhat.com/show_bug.cgi?id=853442
Please use CVE-2012-4381 for this issue.
6) Metadata about blocks, hidden by a user with suppression rights, was visible to administrators Upstream bug: [27] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823 Patch for 1.18 branch: [28] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1 References: [29] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [30] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [31] No Red Hat bugzilla entry, since this did not affect MediaWiki versions, as shipped across various Red Hat products.
Please use CVE-2012-4382 for this issue.
Could you allocate CVE ids for these? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQQPm3AAoJEBYNRVNeJnmTQ/kP/RcvMqfAx+L+PD78RPypQYnd zZdoe5InbG+taAScuCn8hK1E5CSUJwD2tW6hCHIL20w7iIeoJGYQX9VjdMf27nK5 dXhYODptEX/StCXkzXo79/KThEn7gneaolO0wNdhC7Nl+Jp2+0bFtVxbqOCcBVPn z3GKzQ4dvxJbFSMH7Id+agXVuPEaQHuz2+0cg20xfUow7YfWAcmdlm+ARuLN1abh MGlSOoY7QGRxTX/PqXeduaPWAu+Fsz+lPPC13kCXtNAhRysQeFdIcAodnRZ7SRuR mnj2YfzS+XjzjIF596G6a9n/YyAtWebkJedg6k9q3BuUbSGe/9nHxn3F0EDID+wT SoeCvRCDs6WfvJ5OP0ZYeE+z2boVpzA2L12JfR1iW22zYy/Y779yeS3dsjAtB7NE EZ5RXch/WEuHSeIa0CFFFEPL6Y76TpM5oZXp/R+MNiIzwwCcfUMI47P9sUsklsaM 7lMjguJoT5xVGiTc8SnyY5k2MFt3iDU5+zpaG8k1qYq7Vj1pq3byeLhDsmI3I3+w ZCcuCH8/Mh7a9hGviLYB5AVZoCkB9qSYoSmHbfudq05rGsru+tk/NOa1oUC9LNUn AkYTlfssO8rBSeZ2Lg7MlHAmzmMz8QTf3OGA/E8RPkTv1qXqJvcAf+SyMe9a16Ob XtXUaz1oZxoBqRc1W/x+ =CMss -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Jan Lieskovsky (Aug 31)
- Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Kurt Seifried (Aug 31)