Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKcmtDwuatO7TaTOdeun9q4s9Wv_SfWK6Hzk24b2J227YnL23Q@mail.gmail.com>
Date: Mon, 21 Dec 2015 11:37:14 -0800
From: Chris Steipp <csteipp@...imedia.org>
To: oss-security@...ts.openwall.com
Subject: CVE requests for MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12

We recently released security fixes for MediaWiki. I believe the first five
issues should have CVE's assigned. The last issue (T109724) requires that
the organization running the wiki also releases detailed page view data
publicly, and probably not worth tracking with a CVE. However I'm happy for
mitre to assign one of they think this generally qualifies.

* (T117899) XSS from wikitext when $wgArticlePath='$1'. Internal review
discovered an XSS vector when MediaWiki is configured with a non-standard
configuration.
<https://phabricator.wikimedia.org/T117899>

* (T119309) User::matchEditToken should use constant-time string
comparison. Internal review discovered that tokens were being compared as
strings, which could allow a timing attack. This should possibly have 2
CVE's assigned, one for the original patch to use hash_equals in
https://gerrit.wikimedia.org/r/#/c/156336/5/includes/User.php (released as
part of MediaWiki 1.25, and backported to 1.24 and 1.23 as part of this
patch) and one to fix T119309, related to the debugging statement.
<https://phabricator.wikimedia.org/T119309>

* (T118032) Error thrown by VirtualRESTService when POST variable starts
with '@'. Internal review discovered that MediaWiki was not sanitizing
parameters passed to the curl library, which could cause curl to upload
files from the webserver to an attacker.
<https://phabricator.wikimedia.org/T118032>

* (T115522) Passwords generated by User::randomPassword() may be shorter
than $wgMinimalPasswordLength. MediaWiki user Frank R. Farmer reported that
the password reset token could be shorter than the minimum required
password length.
<https://phabricator.wikimedia.org/T115522>

* (T97897) Incorrect parsing of IPs for global block. Wikimedia steward
Vituzzu reported that blocking IP addresses with zero-padded octets
resulted in a failure to block the IP address.
<https://phabricator.wikimedia.org/T97897>

* (T109724) A combination of Special:MyPage redirects and pagecounts allows
an external site to know the wikipedia login of an user. Wikimedia
user Xavier Combelle reported a way to identify user, when detailed page
view data is also released.
<https://phabricator.wikimedia.org/T109724>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.