Home page logo

oss-sec logo oss-sec mailing list archives

CVEs for MediaWiki security and maintenance release 1.18.2
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 23 Mar 2012 22:46:35 -0600

These issues affect Mediawiki 1.18.1 (just stating the obvious =).

I would like to announce the release of MediaWiki 1.18.2. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

Please use CVE-2012-1578 for this issue.

It was discovered that the resource loader can leak certain kinds of
data across domain origin boundaries, by providing the data as an
JavaScript file. In MediaWiki 1.18 and later, this includes the
leaking of CSRF
protection tokens. This allows compromise of the wiki's user accounts,
say by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Please use CVE-2012-1579 for this issue.

Jan Schejbal of Hatforce.com discovered a cross-site request forgery
vulnerability in Special:Upload. Modern browsers (since at least as
early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki.

Depending on the wiki's configuration, this vulnerability could lead
to further
compromise, especially on private wikis where the set of allowed file
types is
broader than on public wikis. Note that CSRF allows compromise of a
wiki from
an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

Please use CVE-2012-1580 for this issue.

George Argyros and Aggelos Kiayias reported that the method used to
password reset tokens is not sufficiently secure. Instead we use
various more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
of the cryptographic random number facility provided by Windows.

Any extension developers using mt_rand() to generate random numbers in
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

Please use CVE-2012-1581 for this issue.

A long-standing bug in the wikitext parser (bug 22555) was discovered
to have
security implications. In the presence of the popular CharInsert
extension, it
leads to cross-site scripting (XSS). XSS may be possible with other
or perhaps even the MediaWiki core alone, although this is not
confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

Please use CVE-2012-1582 for this issue.

Full release notes:


Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So
the relevant
commits for these releases will not be appearing in our SVN
repository. If you use
SVN checkouts of MediaWiki for version control, you need to migrate
these to Git.
If you up are using tarballs, there should be no change in the process
for you.

Please note that any WMF-deployed extensions have also been migrated
to Git
also, along with some other non WMF-maintained ones.

Please bear with us, some of the Git related links for this release
may not
work instantly, but should later on.

To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git

More information is available at https://www.mediawiki.org/wiki/Git

For more help, please visit the #mediawiki IRC channel on freenode.net
irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l at lists.wikimedia.org.


Patch to previous version (1.18.1), without interface text:
Interface text changes:


GPG signatures:


Public keys:

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
  • CVEs for MediaWiki security and maintenance release 1.18.2 Kurt Seifried (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]