Date: Wed, 7 Apr 2010 20:10:34 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE Request: MediaWiki 1.15.3 -- Login CSRF Please use CVE-2010-1150 for this. Thanks -- JB ----- "Reed Loden" <reed@...dloden.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings, > > MediaWiki 1.15.3 was just (20 min. ago) released to fix a CSRF > issue >  in the login process, so need a CVE assigned to track the > problem. > > ============ > MediaWiki was found to be vulnerable to login CSRF. An attacker who > controls a user account on the target wiki can force the victim to > log > in as the attacker, via a script on an external website. If the wiki > is > configured to allow user scripts, say with "$wgAllowUserJs = true" in > LocalSettings.php, then the attacker can proceed to mount a > phishing-style attack against the victim to obtain their password. > > Even without user scripting, this attack is a potential nuisance, and > so > all public wikis should be upgraded if possible. > > Our fix includes a breaking change to the API login action. Any > clients > using it will need to be updated. We apologise for making such a > disruptive change in a minor release, but we feel that security is > paramount. > ============ > > Regards, > ~reed > >  > http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html >  https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 > > - -- > Reed Loden - <reed@...dloden.com> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAku7304ACgkQa6IiJvPDPVozkQCgv4DUtGwOzEgDY0m+/dNXbO/t > LIQAnj7OdyY8THs+KjSbwRgri0O8Kbu1 > =lq2I > -----END PGP SIGNATURE----- -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ