FreeBSD : mediawiki -- multiple vulnerabilities (f36bbd66-aa44-11e5-8f5c-002590263bf5)

critical Nessus Plugin ID 87616

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

MediaWiki reports :

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as 'http://my.wiki.com/wiki/$1' are fine, as are '/wiki/$1'. A value such as '$1' or 'wiki/$1' is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison.

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads.

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength.

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued.

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?dddb0671

https://phabricator.wikimedia.org/T117899

https://phabricator.wikimedia.org/T119309

https://phabricator.wikimedia.org/T118032

https://phabricator.wikimedia.org/T115522

https://phabricator.wikimedia.org/T97897

https://phabricator.wikimedia.org/T109724

https://www.openwall.com/lists/oss-security/2015/12/23/7

http://www.nessus.org/u?6abfc992

Plugin Details

Severity: Critical

ID: 87616

File Name: freebsd_pkg_f36bbd66aa4411e58f5c002590263bf5.nasl

Version: 2.7

Type: local

Published: 12/29/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mediawiki123, p-cpe:/a:freebsd:freebsd:mediawiki124, p-cpe:/a:freebsd:freebsd:mediawiki125, p-cpe:/a:freebsd:freebsd:mediawiki126, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 12/24/2015

Vulnerability Publication Date: 12/18/2015

Reference Information

CVE: CVE-2015-8622, CVE-2015-8623, CVE-2015-8624, CVE-2015-8625, CVE-2015-8626, CVE-2015-8627, CVE-2015-8628