Date: Tue, 29 Nov 2011 11:12:17 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: CVE request: mediawiki before 1.17.1 http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html From announce mail: ------------- I would like to announce the release of MediaWiki 1.17.1. Two security issues were discovered. Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 The second issue was found by Tim Starling, who discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32616 ------------------------ Please assign two CVEs. -- Hanno Böck mail/jabber: hanno@...eck.de GPG: BBB51E42 http://www.hboeck.de/ Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.