'Re: [oss-security] CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-08-31 17:51:51
Message-ID: 5040F9B7.8040903 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2012 08:34 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> multiple security flaws were corrected in recent (1.19.2, and
> 1.18.5) versions of MediaWiki, a wiki engine:

Top posting and in line:

CVE-2012-4377 Stored XSS via a File::link to a non-existing image

CVE-2012-4378 Multiple DOM-based XSS flaws due improper filtering of
uselang parameter

CVE-2012-4379 CSRF tokens, available via API, not protected when
X-Frame-Options headers used

CVE-2012-4380 Did not prevent account creation for IP addresses
blocked with GlobalBlocking

CVE-2012-4381 Password saved always to the local MediaWiki database

CVE-2012-4382 Metadata about blocks

> 1) Stored XSS via a File::link to a non-existing image Upstream
> bug: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
> 
> Upstream patch against the 1.19 version: [2]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11
> 
> Upstream patch against the 1.18 version: [3]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12
> 
> References: [4]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [5]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [6]
> https://bugzilla.redhat.com/show_bug.cgi?id=853409

Please use CVE-2012-4377 for this issue.

> 2) Multiple DOM-based XSS flaws due improper filtering of uselang
> parameter in combination with JS gadgets Upstream bug: [7]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
> 
> Relevant upstream patch: [8]
> https://gerrit.wikimedia.org/r/#/c/13336/
> 
> References: [9]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [10]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [11]
> https://bugzilla.redhat.com/show_bug.cgi?id=853417

Please use CVE-2012-4378 for this issue.

> 3) CSRF tokens, available via API, not protected when
> X-Frame-Options headers used Upstream bug: [12]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
> 
> Relevant upstream patch: [13]
> https://gerrit.wikimedia.org/r/#/c/20472/
> 
> References: [14]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [15]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [16]
> https://bugzilla.redhat.com/show_bug.cgi?id=853426

Please use CVE-2012-4379 for this issue.

> 4) Did not prevent account creation for IP addresses blocked with
> GlobalBlocking Upstream bug: [17]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824
> 
> Upstream patch against the 1.18 version: [18]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0
> 
> References: [19]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [20]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [21]
> https://bugzilla.redhat.com/show_bug.cgi?id=853440

Please use CVE-2012-4380 for this issue.

> 5) Password saved always to the local MediaWiki database and 
> possibility to use old passwords for non-existing accounts in the
> external auth system Upstream bug: [22]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
> 
> Upstream patch: [23]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1
> 
> References: [24]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [25]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [26]
> https://bugzilla.redhat.com/show_bug.cgi?id=853442

Please use CVE-2012-4381 for this issue.

> 6) Metadata about blocks, hidden by a user with suppression
> rights, was visible to administrators Upstream bug: [27]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
> 
> Patch for 1.18 branch: [28]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1
> 
> References: [29]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [30]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [31] No Red
> Hat bugzilla entry, since this did not affect MediaWiki versions,
> as shipped across various Red Hat products.

Please use CVE-2012-4382 for this issue.

> Could you allocate CVE ids for these?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQPm3AAoJEBYNRVNeJnmTQ/kP/RcvMqfAx+L+PD78RPypQYnd
zZdoe5InbG+taAScuCn8hK1E5CSUJwD2tW6hCHIL20w7iIeoJGYQX9VjdMf27nK5
dXhYODptEX/StCXkzXo79/KThEn7gneaolO0wNdhC7Nl+Jp2+0bFtVxbqOCcBVPn
z3GKzQ4dvxJbFSMH7Id+agXVuPEaQHuz2+0cg20xfUow7YfWAcmdlm+ARuLN1abh
MGlSOoY7QGRxTX/PqXeduaPWAu+Fsz+lPPC13kCXtNAhRysQeFdIcAodnRZ7SRuR
mnj2YfzS+XjzjIF596G6a9n/YyAtWebkJedg6k9q3BuUbSGe/9nHxn3F0EDID+wT
SoeCvRCDs6WfvJ5OP0ZYeE+z2boVpzA2L12JfR1iW22zYy/Y779yeS3dsjAtB7NE
EZ5RXch/WEuHSeIa0CFFFEPL6Y76TpM5oZXp/R+MNiIzwwCcfUMI47P9sUsklsaM
7lMjguJoT5xVGiTc8SnyY5k2MFt3iDU5+zpaG8k1qYq7Vj1pq3byeLhDsmI3I3+w
ZCcuCH8/Mh7a9hGviLYB5AVZoCkB9qSYoSmHbfudq05rGsru+tk/NOa1oUC9LNUn
AkYTlfssO8rBSeZ2Lg7MlHAmzmMz8QTf3OGA/E8RPkTv1qXqJvcAf+SyMe9a16Ob
XtXUaz1oZxoBqRc1W/x+
=CMss
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic