Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Jun 2014 11:39:27 +0200
From: "Thijs Kinkhorst" <thijs@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: mediawiki invalid usernames on Special:PasswordReset
 were parsed as wikitext

Hi,

Can you please assign a CVE id for the issue "invalid usernames on
Special:PasswordReset were parsed as wikitext" in Mediawiki?

>From the bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501

> Omer Iqbal noticed that invalid usernames on Special:PasswordReset were
> parsed as wikitext.
>
> Although this can't be abused on a typical wiki, in the very special
case > that a wiki has wgRawHtml enabled, and rely on limiting who can
edit to
> prevent attackers from adding javascript, the username on
> Special:PasswordReset can be supplied by anyone and will be parsed with
> wgRawHtml enabled.
>
> Since Special:PasswordReset is whitelisted by default on private wikis,
> this could potentially lead to an xss crossing a privilege boundary.
>
> The attack is additionally mitigated by default XFO rules preventing that
> special page from being used in an iframe, so the threat from this is
> very low.

It was fixed in 1.22.7, 1.21.10 and 1.19.16:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html


Thanks,
Thijs

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ