SB2017032316 - Multiple vulnerabilities in MediaWiki

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2015-8622)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL,. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site request forgery (CVE-ID: CVE-2015-8624)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

3) Information disclosure (CVE-ID: CVE-2015-8625)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.

4) Credentials management (CVE-ID: CVE-2015-8626)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack.

5) Improper access control (CVE-ID: CVE-2015-8627)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed.

6) Information disclosure (CVE-ID: CVE-2015-8628)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2015/12/21/8
• http://www.openwall.com/lists/oss-security/2015/12/23/7
• https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
• https://phabricator.wikimedia.org/T117899
• https://phabricator.wikimedia.org/T119309
• https://phabricator.wikimedia.org/T118032
• https://phabricator.wikimedia.org/T115522
• https://phabricator.wikimedia.org/T97897
• https://phabricator.wikimedia.org/T109724