[arch-security] [ASA-201608-19] mediawiki: multiple issues
Chris.Rebischke at archlinux.org
Fri Aug 26 15:34:25 UTC 2016
Arch Linux Security Advisory ASA-201608-19
Date : 2016-08-26
CVE-ID : CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334
CVE-2016-6335 CVE-2016-6336 CVE-2016-6337
Package : mediawiki
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package mediawiki before version 1.27.1-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure and
Upgrade to 1.27.1-1.
# pacman -Syu "mediawiki>=1.27.1-1"
The problems have been fixed upstream in version 1.27.1.
- CVE-2016-6331 (permission bypass)
Check read permission when loading page content in ApiParse. Prevents
leaking page contents for extensions that deny read rights to certain
pages via a userCan hook, but still allow the user to have read rights
- CVE-2016-6332 (permission bypass)
Make $wgBlockDisablesLogin also restrict logged in permissions. Does
both Title and user related methods, so it catches things that only call
$wgUser->isAllowed( 'read' ), as well as giving a nicer error message
for things that use $title->userCan(). Otherwise, the user can still do
stuff and read pages if they have an ongoing session.
- CVE-2016-6333 (cross-site scripting)
Escape '<' and ']]>' in inline <style> blocks. This is to prevent
people from closing the <style> tag, and then doing arbitrary js-y
things. In particular, this is needed for when previewing user css
pages. This does not escape '>' since its used as the child selector in
css, and generally speaking, '>' is safe inside the contents of
- CVE-2016-6334 (cross-site scripting)
rawurldecode was being run on unclosed internal links which could allow
an attacker to insert arbitrary html into the page.
- CVE-2016-6335 (information disclosure)
API: Generate head items in the context of the given title.
$context->getOutput() returns an OutputPage tied to the main
RequestContext at the root of the chain, not to the modified context
we're actually using.
- CVE-2016-6336 (permission bypass)
Do not allow undeleting a revision deleted file if it is the top file.
This prevents admins being able to view suppressed files, by simply
deleting them, and then undeleting only the file revision that they want
- CVE-2016-6337 (permission bypass)
Move 'UserGetRights' call before application of
Session::getAllowedUserRights(). This prevents hook functions from
accidentally adding rights that should be denied based on the session
grants. If some extension really needs to be able to override session
grants, add a new hook where the old call was, with documentation
explicitly warning about the security implications.
victim's browser, bypass permissions or get information he/she isn't
supposed to see.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the arch-security