[arch-security] [ASA-201512-15] mediawiki: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Fri Dec 25 16:33:48 UTC 2015
Arch Linux Security Advisory ASA-201512-15
==========================================
Severity: Medium
Date : 2015-12-25
CVE-ID : CVE-2015-8622 CVE-2015-8624 CVE-2015-8625 CVE-2015-8626
CVE-2015-8627 CVE-2015-8628
Package : mediawiki
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package mediawiki before version 1.26.2-1 is vulnerable to multiple
issues including XSS, timing attack, sensitive information leak,
password-policy bypass and IP-blocking bypass.
Resolution
==========
Upgrade to 1.26.2-1.
# pacman -Syu "mediawiki>=1.26.2-1"
The problem has been fixed upstream in version 1.26.1.
Workaround
==========
None.
Description
===========
- CVE-2015-8622:
(T117899) XSS from wikitext when $wgArticlePath='$1'. Internal review
discovered an XSS vector when MediaWiki is configured with a
non-standard configuration.
- CVE-2015-8624:
(T119309) User::matchEditToken should use constant-time string
comparison. Internal review discovered that tokens were being compared
as strings, which could allow a timing attack.
- CVE-2015-8625:
(T118032) Error thrown by VirtualRESTService when POST variable starts
with '@'. Internal review discovered that MediaWiki was not sanitizing
parameters passed to the curl library, which could cause curl to upload
files from the webserver to an attacker.
- CVE-2015-8626:
(T115522) Passwords generated by User::randomPassword() may be shorter
than $wgMinimalPasswordLength. MediaWiki user Frank R. Farmer reported
that the password reset token could be shorter than the minimum required
password length.
- CVE-2015-8627:
(T97897) Incorrect parsing of IPs for global block. Wikimedia steward
Vituzzu reported that blocking IP addresses with zero-padded octets
resulted in a failure to block the IP address.
- CVE-2015-8628:
(T109724) A combination of Special:MyPage redirects and pagecounts
allows an external site to know the wikipedia login of an user.
Wikimedia user Xavier Combelle reported a way to identify user, when
detailed page view data is also released.
Impact
======
A remote attacker might be able to access sensitive information by
tricking the server into uploading file content or by a timing attack. A
remote attacker might be able to bypass password policy and IP blocking
measures.
References
==========
http://seclists.org/oss-sec/2015/q4/573
https://phabricator.wikimedia.org/T97897
https://phabricator.wikimedia.org/T109724
https://phabricator.wikimedia.org/T115522
https://phabricator.wikimedia.org/T117899
https://phabricator.wikimedia.org/T118032
https://phabricator.wikimedia.org/T119309
https://access.redhat.com/security/cve/CVE-2015-8622
https://access.redhat.com/security/cve/CVE-2015-8624
https://access.redhat.com/security/cve/CVE-2015-8625
https://access.redhat.com/security/cve/CVE-2015-8626
https://access.redhat.com/security/cve/CVE-2015-8627
https://access.redhat.com/security/cve/CVE-2015-8628
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151225/e44ef3de/attachment.asc>
More information about the arch-security
mailing list