[Olpc-sysadmin] [Fwd: [MediaWiki-announce] MediaWiki 1.13.3, 1.12.2, 1.6.11 security update]

Bernie Innocenti bernie at codewiz.org
Mon Dec 15 06:24:09 EST 2008

-------- Original Message --------
Subject: [MediaWiki-announce] MediaWiki 1.13.3, 1.12.2,	1.6.11
security update
Date: Mon, 15 Dec 2008 22:09:28 +1100
From: Tim Starling <tstarling at wikimedia.org>
Reply-To: mediawiki-l at lists.wikimedia.org
To: mediawiki-announce at lists.wikimedia.org,
mediawiki-l at lists.wikimedia.org, wikitech-l at lists.wikimedia.org,
vendor-sec at lst.de

This is a security release of MediaWiki 1.13.3, 1.12.1 and 1.6.11.
Some of the security issues affect *all* versions of MediaWiki except
the versions released today, so all site administrators are encouraged
to upgrade.

Users of the development (trunk) branch should upgrade to r44506 or later.

David Remahl of Apple's Product Security team has identified a number
of security issues in MediaWiki. Subsequent analysis by the MediaWiki
development team led to further discoveries. The issues with a
significant impact are as follows:

* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.

These four vulnerabilities are all fixed in these releases.

XSS (cross-site scripting) vulnerabilities allow an attacker to steal
an authorised user's login session, and to act as that user on the
wiki. The authorised user must visit a web page controlled by the
attacker in order to activate the attack. Intranet wikis are
vulnerable if the attacker can determine the intranet URL.

Local script injection vulnerabilities are like XSS vulnerabilities,
except that the attacker must have an account on the local wiki, and
there is no external site involved. The attacker uploads a script to
the wiki, which another user is tricked into executing, with the
effect that the attacker is able to act as the privileged user.

CSRF vulnerabilities allow an attacker to act as an authorised user on
the wiki, but unlike an XSS vulnerability, the attacker can only act
as the user in a specific and restricted way. The present CSRF
vulnerability allows pages to be edited, with forged revision
histories. Like an XSS vulnerability, the authorised user must visit
the malicious web page to activate the attack.

David Remahl also reminded us of some security-related configuration

* Since 1.11, by default, MediaWiki stores a backup of deleted images
in the images/deleted
  directory. If you do not want these images to be publically
accessible, make
  sure this directory is not accessible from the web. MediaWiki takes
some steps
  to avoid leaking these images, but these measures are not perfect.
* Set display_errors=off in your php.ini to avoid path disclosure via
PHP fatal
  errors. This is the default on most shared web hosts.
* Enabling MediaWiki's debugging features, such as
$wgShowExceptionDetails, may
  lead to path disclosure.

Users of MediaWiki 1.6.x (the last branch which supported PHP 4) are
strongly recommended to upgrade to PHP 5 and MediaWiki 1.13.3. It is
not necessary to upgrade to 1.6.11 first, just upgrade directly to the
latest version.

Upgrade FAQ:

Full release notes:

    MEDIAWIKI   1.13.3

Patch to previous version (1.13.2), without interface text:
Interface text changes:

GPG signatures:

Public keys:

    MEDIAWIKI   1.12.2

Patch to previous version (1.12.1), without interface text:
Interface text changes:

GPG signatures:

Public keys:

    MEDIAWIKI   1.6.11

Patch to previous version (1.6.10):

GPG signatures:

Public keys:

MediaWiki announcements mailing list
To unsubscribe, go to:

   // Bernie Innocenti - http://www.codewiz.org/
 \X/  Sugar Labs       - http://www.sugarlabs.org/

More information about the Olpc-sysadmin mailing list