oss-sec mailing list archives

CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 31 Aug 2012 10:34:38 -0400 (EDT)

Hello Kurt, Steve, vendors,

  multiple security flaws were corrected in recent (1.19.2,
and 1.18.5) versions of MediaWiki, a wiki engine:

1) Stored XSS via a File::link to a non-existing image
   Upstream bug:
   [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700

   Upstream patch against the 1.19 version:
   [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11

   Upstream patch against the 1.18 version:
   [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12

   References:
   [4] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [6] https://bugzilla.redhat.com/show_bug.cgi?id=853409

2) Multiple DOM-based XSS flaws due improper filtering of uselang parameter
   in combination with JS gadgets
   Upstream bug:
   [7] https://bugzilla.wikimedia.org/show_bug.cgi?id=37587

   Relevant upstream patch:
   [8] https://gerrit.wikimedia.org/r/#/c/13336/

   References:
   [9]  http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [10] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [11] https://bugzilla.redhat.com/show_bug.cgi?id=853417

3) CSRF tokens, available via API, not protected when X-Frame-Options headers used
   Upstream bug:
   [12] https://bugzilla.wikimedia.org/show_bug.cgi?id=39180

   Relevant upstream patch:
   [13] https://gerrit.wikimedia.org/r/#/c/20472/

   References:
   [14] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [15] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [16] https://bugzilla.redhat.com/show_bug.cgi?id=853426

4) Did not prevent account creation for IP addresses blocked with GlobalBlocking
   Upstream bug:
   [17] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824

   Upstream patch against the 1.18 version:
   [18] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0

   References:
   [19] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [20] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [21] https://bugzilla.redhat.com/show_bug.cgi?id=853440

5) Password saved always to the local MediaWiki database and
   possibility to use old passwords for non-existing accounts
   in the external auth system
   Upstream bug:
   [22] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184

   Upstream patch:
   [23] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1

   References:
   [24] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [25] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [26] https://bugzilla.redhat.com/show_bug.cgi?id=853442

6) Metadata about blocks, hidden by a user with suppression rights,
   was visible to administrators
   Upstream bug:
   [27] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823

   Patch for 1.18 branch:
   [28] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1

   References:
   [29] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
   [30] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
   [31] No Red Hat bugzilla entry, since this did not affect
        MediaWiki versions, as shipped across various Red Hat products.

Could you allocate CVE ids for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Jan Lieskovsky (Aug 31)
- Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws Kurt Seifried (Aug 31)