MediaWiki Input Validation Holes Permit Cross-Site Scripting Attacks and Directory Traversal Flaw Lets Remote Authenticated Administrators Delete Files - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > MediaWiki

Vendors: wikipedia.sourceforge.net

MediaWiki Input Validation Holes Permit Cross-Site Scripting Attacks and Directory Traversal Flaw Lets Remote Authenticated Administrators Delete Files

SecurityTracker Alert ID: 1013260

SecurityTracker URL: http://securitytracker.com/id/1013260

CVE Reference: CAN-2005-0534, CAN-2005-0535, CAN-2005-0536 (Links to External Site)

Updated: Mar 1 2005

Original Entry Date: Feb 22 2005

Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 1.3.11

Description: Several vulnerabilities were reported in MediaWiki. A remote user can conduct cross-site scripting attacks. A remote authenticated administrator can delete certain files on the system.

The software does not properly validate user-supplied input in various fields. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MediaWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The software does not properly validate user-supplied input in the image deletion function. A remote authenticated administrator can delete arbitrary files in directories that are writable by the web server process. For directories or files that are not writable by the web server, a remote authenticated administrator can determine if the specified file exists.

The vendor discovered these vulnerabilities as part of a security audit.

The vendor reported these vulnerabilities.

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MediaWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated administrator can delete files with the privileges of the web server process.

Solution: The vendor has issued a fixed version (1.3.11), available at:

http://sourceforge.net/project/showfiles.php?group_id=34373

Vendor URL: wikipedia.sourceforge.net/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

(Gentoo Issues Fix) MediaWiki Input Validation Holes Permit Cross-Site Scripting Attacks and Directory Traversal Flaw Lets Remote Authenticated Administrators Delete Files (Thierry Carrez <koon@gentoo.org>)
Gentoo has released a fix.

Source Message Contents

Date: Tue, 22 Feb 2005 01:51:19 -0500
Subject: http://sourceforge.net/project/shownotes.php?release_id=307067



= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.

== Version 1.3.11, 2005-02-20 ==

MediaWiki 1.3.11 is a security release.

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.


=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.


=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the
additional fields.


=== Directory traversal ===

An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC