MediaWiki Input Validation Holes Permit Cross-Site Scripting Attacks and Directory Traversal Flaw Lets Remote Authenticated Administrators Delete Files
SecurityTracker Alert ID: 1013260|
SecurityTracker URL: http://securitytracker.com/id/1013260
CAN-2005-0534, CAN-2005-0535, CAN-2005-0536
(Links to External Site)
Updated: Mar 1 2005|
Original Entry Date: Feb 22 2005
Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 1.3.11|
Several vulnerabilities were reported in MediaWiki. A remote user can conduct cross-site scripting attacks. A remote authenticated administrator can delete certain files on the system.|
The software does not properly validate user-supplied input in various fields. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MediaWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The software does not properly validate user-supplied input in the image deletion function. A remote authenticated administrator can delete arbitrary files in directories that are writable by the web server process. For directories or files that are not writable by the web server, a remote authenticated administrator can determine if the specified file exists.
The vendor discovered these vulnerabilities as part of a security audit.
The vendor reported these vulnerabilities.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MediaWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote authenticated administrator can delete files with the privileges of the web server process.
The vendor has issued a fixed version (1.3.11), available at:|
Vendor URL: wikipedia.sourceforge.net/ (Links to External Site)
Input validation error|
Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Tue, 22 Feb 2005 01:51:19 -0500|
= MediaWiki release notes =
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
== Version 1.3.11, 2005-02-20 ==
MediaWiki 1.3.11 is a security release.
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
* Additional checks added to file upload to protect against MSIE and
Safari MIME-type autodetection bugs.
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.