First published: Tue Oct 20 2015(Updated: )
Several flaws were found in Mediawiki: * Wikipedia user RobinHood70 reported that the API failed to correctly stop adding new chunks to the upload when the reported size was exceeded, allowing a malicious users to upload add an infinite number of chunks for a single file upload. <<a href="https://phabricator.wikimedia.org/T91203">https://phabricator.wikimedia.org/T91203</a>> * Wikipedia user RobinHood70 also reported that a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem. <<a href="https://phabricator.wikimedia.org/T91205">https://phabricator.wikimedia.org/T91205</a>> * Internal review discovered that it is not possible to throttle file uploads. <<a href="https://phabricator.wikimedia.org/T91850">https://phabricator.wikimedia.org/T91850</a>> * Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. <<a href="https://phabricator.wikimedia.org/T95589">https://phabricator.wikimedia.org/T95589</a>> * Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. <<a href="https://phabricator.wikimedia.org/T108616">https://phabricator.wikimedia.org/T108616</a>> * Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in the way the extension handled page titles. <<a href="https://phabricator.wikimedia.org/T111029">https://phabricator.wikimedia.org/T111029</a>> * Extension:Echo - Internal review discovered that Echo could display deleted or suppressed usernames when the username was previously used to Thank users. <<a href="https://phabricator.wikimedia.org/T110553">https://phabricator.wikimedia.org/T110553</a>> * Extension:OAuth - Wikipedia user Sitic discovered that the OAuth extension did not correctly enforce the IP restrictions of a Consumer when using previously negotiated credentials. <<a href="https://phabricator.wikimedia.org/T103022">https://phabricator.wikimedia.org/T103022</a>> * Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept a valid signature from any Consumer when checking the authorization signature. This allowed a registered Consumer who gained access to another Consumer's users' access tokens and secrets to use those credentials. <<a href="https://phabricator.wikimedia.org/T103023">https://phabricator.wikimedia.org/T103023</a>> CVE request and original report: <a href="http://seclists.org/oss-sec/2015/q4/104">http://seclists.org/oss-sec/2015/q4/104</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/mediawiki | <1.25.3 | 1.25.3 |
redhat/mediawiki | <1.24.4 | 1.24.4 |
redhat/mediawiki | <1.23.11 | 1.23.11 |
MediaWiki MediaWiki | <=1.23.10 | |
MediaWiki MediaWiki | =1.24.0 | |
MediaWiki MediaWiki | =1.24.1 | |
MediaWiki MediaWiki | =1.24.2 | |
MediaWiki MediaWiki | =1.24.3 | |
MediaWiki MediaWiki | =1.25.0 | |
MediaWiki MediaWiki | =1.25.1 | |
MediaWiki MediaWiki | =1.25.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.