Date: Thu, 27 Aug 2015 15:33:51 -0400 (EDT) From: cve-assign@...re.org To: csteipp@...imedia.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: MediaWiki 1.25.2, 1.24.3, 1.23.10 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > * Internal review discovered that Special:DeletedContributions did not > properly protect the IP of autoblocked users. This fix makes the > functionality of Special:DeletedContributions consistent with > Special:Contributions and Special:BlockList. > <https://phabricator.wikimedia.org/T106893> The DESCRIPTION section of T106893 refers to a similar issue that existed in other code until 2013. As far as we can tell, both issues have security relevance for the same reason (although the first issue was debated at the time). So, we think it will be best to use CVE-2015-6727 for the issue fixed in the https://github.com/wikimedia/mediawiki/commit/5faabfa1bbf65536ea36108887040198afcb3c82 commit, and CVE-2013-7444 for the issue fixed in the https://github.com/wikimedia/mediawiki/commit/dc2966bd05b69321300c63fd0bd78e7c78ecea6e commit. > * Internal review discovered that watchlist anti-csrf tokens were not being > compared in constant time, which could allow various timing attacks. This > could allow an attacker to modify a user's watchlist via csrf. > <https://phabricator.wikimedia.org/T94116> Use CVE-2015-6728. > * John Menerick reported that MediaWiki's thumb.php failed to sanitize > various error messages, resulting in xss. > <https://phabricator.wikimedia.org/T97391> Based on the T97391 "Apr 28 2015, 5:58 PM" comment describing both "Confirmed the rel404 issue" and "ForeignAPI images also have an xss" vectors, it appears that the original John Menerick report was about "unvalidated or sanitized parameters are pulled from the client's request" and that the f parameter wasn't necessarily known to be exploitable when that report was written. (Maybe this isn't accurate because the "attached image" in the original report is apparently unavailable.) In any case, use CVE-2015-6729 for the John Menerick XSS report, and use CVE-2015-6730 for the internal XSS discoveries. > * Extension:SemanticForms - MediaWiki user Grunny discovered multiple > reflected xss vectors in SemanticForms. Further internal review discovered > and fixed other reflected and stored xss vectors. > <https://phabricator.wikimedia.org/T103391> > <https://phabricator.wikimedia.org/T103765> > <https://phabricator.wikimedia.org/T103761> Use CVE-2015-6731 for the Grunny XSS report, and use CVE-2015-6732 for the internal XSS discoveries. There is currently no CVE ID for the "The Special:CreateForm post to add the template doesn't check the csrf token, so it can be submitted for a user via csrf" statement in the T103761 DESCRIPTION section. We aren't sure about this, but we think that a CSRF token check there is not thought to be required. If a CSRF token check there is thought to be required, then another CVE ID can be assigned. > * Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal > review discovered that the contib directory for GeSHi was re-included in > MediaWiki 1.25. Some scripts could be potentially be used for DoS, and DAU > Huy Ngoc discovered an xss vector. All contrib scripts have been removed. > <https://phabricator.wikimedia.org/T108198> There are multiple options with which this topic could be covered in CVE, e.g., 1. It is a single integration-policy error. In other words, the policy is that Extension:SyntaxHighlight_GeSHi may have an update at any time from the upstream GeSHi source code, but the contrib directory must be excluded. A person who did an update did not follow that policy. 2. The problems with using the upstream contrib directory within MediaWiki need to be considered individually. We're using option 2. "Some scripts could be potentially be used for DoS" is not really enough information, because distinct types of DoS can't always be combined into one CVE ID. We think the only known DoS problem is resource consumption from otherwise correct algorithms, as mentioned at http://qbnz.com/highlighter/ with "GeSHi aims to do this all as quickly as possible. Many customisable features of GeSHi facilitate speed increases, and you can easily find a balance between the amount of highlighting done and the speed in which it is done." Use CVE-2015-6733 for this type of resource-consumption DoS, which has security relevance within the MediaWiki product. Use CVE-2015-6734 for the cssgen.php keywords-1 XSS. (Although not directly related to CVE assignment, it's possible that that XSS hasn't been reported upstream because it's not listed on the https://github.com/GeSHi/geshi-1.0/commits/master/src/contrib/cssgen.php page.) > * Extension:TimedMediaHandler - User:McZusatz reported that resetting > transcodes deleted the transcode without creating a new one, which could be > used for vandalism or potentially DoS. > <https://phabricator.wikimedia.org/T100211> Use CVE-2015-6735. > * Extension:Quiz - Internal review discovered that Quiz did not properly > escape regex metacharacters in a user controlled regular expression, > enabling a DoS vector. > <https://phabricator.wikimedia.org/T97083> Use CVE-2015-6736. > * Extension:Widgets - MediaWiki developer Majr reported a potential HTML > injection (xss) vector. > <https://phabricator.wikimedia.org/T88964> Use CVE-2015-6737. We think that the primary vulnerability is that the approach to integrity protection is wrong, and that the HTML injection is resultant from this. In any case, we think that only one CVE ID is needed for T88964. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV32WdAAoJEL54rhJi8gl5KxcQAKlVrS3ikXXKM8qxnNFpEJUC hP39Qbz6FY6mvPlXw199gZsgoIGMBfjmg4+NFwH3W+gksbpieUWcd71Mc5mGb0dY to1w7kFiDsgroearzKWQq96N+qBoF+erQtYFIfEXhJGi4DTOyTuXor0W4YfcFfPT +VTp3RiyB4l6njQ7oxEBF0fvmNRdJX5fqvUU/VxEjhWLqjvWZmcC+lNRIXaat4sA XqDa6ktW/rCdYDMZLsnMibqx8R6Z8nI7PFAJoijFFwfzREMAnkEoPDzttM4Q2g0q IpEqbhrxJUFXllIUOcfmAz3f4zVvaMCJpJeU2e36zwQ5tpOEern2/TJM0OkNHJrL nwaatdyYXJd8oFrId0lUlSa66BXqmakOu09qUrF06p1CtLPQd4YSufdMNbY0g6aL 28rP/Y/pd0KV770MLux/FfeDdNkkbYCSX+kWq0xJHepOTaqrpd9t8nlFzK9SB3D9 bylKhU0JSG3H5Z4vTMIVbJU2tI6aPJ0tIfYJ46UChzbhyDlHUrqkUiCUP76gGGR/ Iu2xAfXOOtaLXJpTWKElX+NZyYfzoULxklTImdF0FpS8sqlX2LpA/YuMWgcwcD1z a4os1wcHJhPgbG6vBHp7uYoav0e1iW7nTbjCTpZi/sGYp7KQpHsgYsNhNPyydiSz Z9r2ydLeSD5uag51jEtH =vozk -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ