Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Apr 2010 20:26:38 -0500
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: MediaWiki 1.15.3 -- Login CSRF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

MediaWiki 1.15.3 was just (20 min. ago) released[0] to fix a CSRF issue
[1] in the login process, so need a CVE assigned to track the problem.

============
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
============

Regards,
~reed

[0] http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

- -- 
Reed Loden - <reed@...dloden.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAku7304ACgkQa6IiJvPDPVozkQCgv4DUtGwOzEgDY0m+/dNXbO/t
LIQAnj7OdyY8THs+KjSbwRgri0O8Kbu1
=lq2I
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ