Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 11:51:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple
 security flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2012 08:34 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> multiple security flaws were corrected in recent (1.19.2, and
> 1.18.5) versions of MediaWiki, a wiki engine:

Top posting and in line:

CVE-2012-4377 Stored XSS via a File::link to a non-existing image

CVE-2012-4378 Multiple DOM-based XSS flaws due improper filtering of
uselang parameter

CVE-2012-4379 CSRF tokens, available via API, not protected when
X-Frame-Options headers used

CVE-2012-4380 Did not prevent account creation for IP addresses
blocked with GlobalBlocking

CVE-2012-4381 Password saved always to the local MediaWiki database

CVE-2012-4382 Metadata about blocks

> 1) Stored XSS via a File::link to a non-existing image Upstream
> bug: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
> 
> Upstream patch against the 1.19 version: [2]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11
> 
> Upstream patch against the 1.18 version: [3]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12
> 
> References: [4]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [5]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [6]
> https://bugzilla.redhat.com/show_bug.cgi?id=853409

Please use CVE-2012-4377 for this issue.

> 2) Multiple DOM-based XSS flaws due improper filtering of uselang
> parameter in combination with JS gadgets Upstream bug: [7]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
> 
> Relevant upstream patch: [8]
> https://gerrit.wikimedia.org/r/#/c/13336/
> 
> References: [9]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [10]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [11]
> https://bugzilla.redhat.com/show_bug.cgi?id=853417

Please use CVE-2012-4378 for this issue.

> 3) CSRF tokens, available via API, not protected when
> X-Frame-Options headers used Upstream bug: [12]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
> 
> Relevant upstream patch: [13]
> https://gerrit.wikimedia.org/r/#/c/20472/
> 
> References: [14]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [15]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [16]
> https://bugzilla.redhat.com/show_bug.cgi?id=853426

Please use CVE-2012-4379 for this issue.

> 4) Did not prevent account creation for IP addresses blocked with
> GlobalBlocking Upstream bug: [17]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824
> 
> Upstream patch against the 1.18 version: [18]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0
> 
> References: [19]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [20]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [21]
> https://bugzilla.redhat.com/show_bug.cgi?id=853440

Please use CVE-2012-4380 for this issue.

> 5) Password saved always to the local MediaWiki database and 
> possibility to use old passwords for non-existing accounts in the
> external auth system Upstream bug: [22]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
> 
> Upstream patch: [23]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1
> 
> References: [24]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [25]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [26]
> https://bugzilla.redhat.com/show_bug.cgi?id=853442

Please use CVE-2012-4381 for this issue.

> 6) Metadata about blocks, hidden by a user with suppression
> rights, was visible to administrators Upstream bug: [27]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
> 
> Patch for 1.18 branch: [28]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1
> 
> References: [29]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [30]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [31] No Red
> Hat bugzilla entry, since this did not affect MediaWiki versions,
> as shipped across various Red Hat products.

Please use CVE-2012-4382 for this issue.

> Could you allocate CVE ids for these?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQPm3AAoJEBYNRVNeJnmTQ/kP/RcvMqfAx+L+PD78RPypQYnd
zZdoe5InbG+taAScuCn8hK1E5CSUJwD2tW6hCHIL20w7iIeoJGYQX9VjdMf27nK5
dXhYODptEX/StCXkzXo79/KThEn7gneaolO0wNdhC7Nl+Jp2+0bFtVxbqOCcBVPn
z3GKzQ4dvxJbFSMH7Id+agXVuPEaQHuz2+0cg20xfUow7YfWAcmdlm+ARuLN1abh
MGlSOoY7QGRxTX/PqXeduaPWAu+Fsz+lPPC13kCXtNAhRysQeFdIcAodnRZ7SRuR
mnj2YfzS+XjzjIF596G6a9n/YyAtWebkJedg6k9q3BuUbSGe/9nHxn3F0EDID+wT
SoeCvRCDs6WfvJ5OP0ZYeE+z2boVpzA2L12JfR1iW22zYy/Y779yeS3dsjAtB7NE
EZ5RXch/WEuHSeIa0CFFFEPL6Y76TpM5oZXp/R+MNiIzwwCcfUMI47P9sUsklsaM
7lMjguJoT5xVGiTc8SnyY5k2MFt3iDU5+zpaG8k1qYq7Vj1pq3byeLhDsmI3I3+w
ZCcuCH8/Mh7a9hGviLYB5AVZoCkB9qSYoSmHbfudq05rGsru+tk/NOa1oUC9LNUn
AkYTlfssO8rBSeZ2Lg7MlHAmzmMz8QTf3OGA/E8RPkTv1qXqJvcAf+SyMe9a16Ob
XtXUaz1oZxoBqRc1W/x+
=CMss
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.