[arch-security] [ASA-201711-20] mediawiki: multiple issues

Levente Polyak anthraxx at archlinux.org
Wed Nov 15 22:19:40 UTC 2017 

Arch Linux Security Advisory ASA-201711-20
==========================================

Severity: High
Date    : 2017-11-15
CVE-ID  : CVE-2017-0361 CVE-2017-8808 CVE-2017-8809 CVE-2017-8810
          CVE-2017-8811 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815
Package : mediawiki
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-490

Summary
=======

The package mediawiki before version 1.29.2-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure, url
request injection and insufficient validation.

Resolution
==========

Upgrade to 1.29.2-1.

# pacman -Syu "mediawiki>=1.29.2-1"

The problems have been fixed upstream in version 1.29.2.

Workaround
==========

None.

Description
===========

- CVE-2017-0361 (information disclosure)

MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters
may now be marked as "sensitive" to keep their values out of the logs.

- CVE-2017-8808 (cross-site scripting)

MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
has XSS when the $wgShowExceptionDetails setting is false and the
browser sends non-standard URL escaping.

- CVE-2017-8809 (url request injection)

api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x
before 1.29.2 has a Reflected File Download vulnerability.

- CVE-2017-8810 (information disclosure)

MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before
1.29.2, when a private wiki is configured, provides different error
messages for failed login attempts depending on whether the username
exists, which allows remote attackers to enumerate account names and
conduct brute-force attacks via a series of requests.

- CVE-2017-8811 (cross-site scripting)

The implementation of raw message parameter expansion in MediaWiki
before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows
HTML mangling attacks.

- CVE-2017-8812 (insufficient validation)

MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
allows remote attackers to inject > (greater than) characters via the
id attribute of a headline.

- CVE-2017-8814 (cross-site scripting)

The language converter in MediaWiki before 1.27.4, 1.28.x before
1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text
inside tags via a rule definition followed by "a lot of junk."

- CVE-2017-8815 (cross-site scripting)

The language converter in MediaWiki before 1.27.4, 1.28.x before
1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via
glossary rules.

Impact
======

A remote attacker is able to perform a cross-side scripting attack by
injecting javascript into the site, disclose information or perform a
reflected file download attack.

References
==========

https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
https://phabricator.wikimedia.org/T125177
https://phabricator.wikimedia.org/T180488
https://github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6aed047f7418a2
https://github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff4a90b214034
https://phabricator.wikimedia.org/T178451
https://github.com/wikimedia/mediawiki/commit/1713ddeff12b263fb7634796dc029d3fe26ade41
https://phabricator.wikimedia.org/T128209
https://github.com/wikimedia/mediawiki/commit/9bf2c01ea238d0e71c56bad7341c89345855bd5d
https://phabricator.wikimedia.org/T134100
https://github.com/wikimedia/mediawiki/commit/e7ea90509c73c60b665b8f63e3bb95b1adfec78c
https://phabricator.wikimedia.org/T176247
https://github.com/wikimedia/mediawiki/commit/410c00a9ae92411d3d1568e84c4aa2579a577635
https://phabricator.wikimedia.org/T125163
https://github.com/wikimedia/mediawiki/commit/31041e4557c2f4b96ef0a16e44bf6be5566a9ffb
https://phabricator.wikimedia.org/T124404
https://github.com/wikimedia/mediawiki/commit/fbe78cfa094645b907d0fd2885c5797321f794eb
https://phabricator.wikimedia.org/T119158
https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3
https://security.archlinux.org/CVE-2017-0361
https://security.archlinux.org/CVE-2017-8808
https://security.archlinux.org/CVE-2017-8809
https://security.archlinux.org/CVE-2017-8810
https://security.archlinux.org/CVE-2017-8811
https://security.archlinux.org/CVE-2017-8812
https://security.archlinux.org/CVE-2017-8814
https://security.archlinux.org/CVE-2017-8815

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20171115/caf12dbb/attachment.asc>

More information about the arch-security mailing list