Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 7 Apr 2010 20:10:34 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request: MediaWiki 1.15.3 -- Login CSRF

Please use CVE-2010-1150 for this.

Thanks

-- 
    JB


----- "Reed Loden" <reed@...dloden.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> MediaWiki 1.15.3 was just (20 min. ago) released[0] to fix a CSRF
> issue
> [1] in the login process, so need a CVE assigned to track the
> problem.
> 
> ============
> MediaWiki was found to be vulnerable to login CSRF. An attacker who
> controls a user account on the target wiki can force the victim to
> log
> in as the attacker, via a script on an external website. If the wiki
> is
> configured to allow user scripts, say with "$wgAllowUserJs = true" in
> LocalSettings.php, then the attacker can proceed to mount a
> phishing-style attack against the victim to obtain their password.
> 
> Even without user scripting, this attack is a potential nuisance, and
> so
> all public wikis should be upgraded if possible.
> 
> Our fix includes a breaking change to the API login action. Any
> clients
> using it will need to be updated. We apologise for making such a
> disruptive change in a minor release, but we feel that security is
> paramount.
> ============
> 
> Regards,
> ~reed
> 
> [0]
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
> 
> - -- 
> Reed Loden - <reed@...dloden.com>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAku7304ACgkQa6IiJvPDPVozkQCgv4DUtGwOzEgDY0m+/dNXbO/t
> LIQAnj7OdyY8THs+KjSbwRgri0O8Kbu1
> =lq2I
> -----END PGP SIGNATURE-----

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ