oss-sec mailing list archives

Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 31 Aug 2012 11:51:51 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2012 08:34 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

multiple security flaws were corrected in recent (1.19.2, and
1.18.5) versions of MediaWiki, a wiki engine:


Top posting and in line:

CVE-2012-4377 Stored XSS via a File::link to a non-existing image

CVE-2012-4378 Multiple DOM-based XSS flaws due improper filtering of
uselang parameter

CVE-2012-4379 CSRF tokens, available via API, not protected when
X-Frame-Options headers used

CVE-2012-4380 Did not prevent account creation for IP addresses
blocked with GlobalBlocking

CVE-2012-4381 Password saved always to the local MediaWiki database

CVE-2012-4382 Metadata about blocks

1) Stored XSS via a File::link to a non-existing image Upstream
bug: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700

Upstream patch against the 1.19 version: [2]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11

Upstream patch against the 1.18 version: [3]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12

References: [4]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [5]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [6]
https://bugzilla.redhat.com/show_bug.cgi?id=853409


Please use CVE-2012-4377 for this issue.

2) Multiple DOM-based XSS flaws due improper filtering of uselang
parameter in combination with JS gadgets Upstream bug: [7]
https://bugzilla.wikimedia.org/show_bug.cgi?id=37587

Relevant upstream patch: [8]
https://gerrit.wikimedia.org/r/#/c/13336/

References: [9]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [10]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [11]
https://bugzilla.redhat.com/show_bug.cgi?id=853417


Please use CVE-2012-4378 for this issue.

3) CSRF tokens, available via API, not protected when
X-Frame-Options headers used Upstream bug: [12]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39180

Relevant upstream patch: [13]
https://gerrit.wikimedia.org/r/#/c/20472/

References: [14]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [15]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [16]
https://bugzilla.redhat.com/show_bug.cgi?id=853426


Please use CVE-2012-4379 for this issue.

4) Did not prevent account creation for IP addresses blocked with
GlobalBlocking Upstream bug: [17]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39824

Upstream patch against the 1.18 version: [18]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0

References: [19]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [20]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [21]
https://bugzilla.redhat.com/show_bug.cgi?id=853440


Please use CVE-2012-4380 for this issue.

5) Password saved always to the local MediaWiki database and 
possibility to use old passwords for non-existing accounts in the
external auth system Upstream bug: [22]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39184

Upstream patch: [23]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1

References: [24]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [25]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [26]
https://bugzilla.redhat.com/show_bug.cgi?id=853442


Please use CVE-2012-4381 for this issue.

6) Metadata about blocks, hidden by a user with suppression
rights, was visible to administrators Upstream bug: [27]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39823

Patch for 1.18 branch: [28]
https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1

References: [29]
http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [30]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [31] No Red
Hat bugzilla entry, since this did not affect MediaWiki versions,
as shipped across various Red Hat products.


Please use CVE-2012-4382 for this issue.

Could you allocate CVE ids for these?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQPm3AAoJEBYNRVNeJnmTQ/kP/RcvMqfAx+L+PD78RPypQYnd
zZdoe5InbG+taAScuCn8hK1E5CSUJwD2tW6hCHIL20w7iIeoJGYQX9VjdMf27nK5
dXhYODptEX/StCXkzXo79/KThEn7gneaolO0wNdhC7Nl+Jp2+0bFtVxbqOCcBVPn
z3GKzQ4dvxJbFSMH7Id+agXVuPEaQHuz2+0cg20xfUow7YfWAcmdlm+ARuLN1abh
MGlSOoY7QGRxTX/PqXeduaPWAu+Fsz+lPPC13kCXtNAhRysQeFdIcAodnRZ7SRuR
mnj2YfzS+XjzjIF596G6a9n/YyAtWebkJedg6k9q3BuUbSGe/9nHxn3F0EDID+wT
SoeCvRCDs6WfvJ5OP0ZYeE+z2boVpzA2L12JfR1iW22zYy/Y779yeS3dsjAtB7NE
EZ5RXch/WEuHSeIa0CFFFEPL6Y76TpM5oZXp/R+MNiIzwwCcfUMI47P9sUsklsaM
7lMjguJoT5xVGiTc8SnyY5k2MFt3iDU5+zpaG8k1qYq7Vj1pq3byeLhDsmI3I3+w
ZCcuCH8/Mh7a9hGviLYB5AVZoCkB9qSYoSmHbfudq05rGsru+tk/NOa1oUC9LNUn
AkYTlfssO8rBSeZ2Lg7MlHAmzmMz8QTf3OGA/E8RPkTv1qXqJvcAf+SyMe9a16Ob
XtXUaz1oZxoBqRc1W/x+
=CMss
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Jan Lieskovsky (Aug 31)
- Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Kurt Seifried (Aug 31)