MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9471

Synopsis

The remote web server is running a PHP application that is out of date

Description

The version of MediaWiki installed is 1.19.x earlier than 1.19.24, 1.23.x earlier than 1.23.9, or 1.24.x earlier than 1.24.2. Therefore, it is affected by multiple vulnerabilities :

- A flaw in the 'includes/upload/UploadBase.php' script is triggered when the blacklist feature fails to properly validate nested SVG files due to a missing MIME type blacklist. This may allow a remote attacker to upload SVG files which will execute malicious JavaScript code.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'includes/Html.php' script does not validate input during Html class attribute expansion before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw in the 'includes/libs/XmlTypeCheck.php' script. The issue is triggered when the SVG filter assumes that XML is expanded. This may allow a remote attacker to bypass the SVG filter by encoding SVG entities.
- A flaw in the 'wddx' output format's handling of API errors allows a reflected 1.26.3 attack. This flaw exists because the 'api.php' script does not validate input to the 'submodule' parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw is triggered when hashing PBKDF2 passwords. With a specially crafted overly large password, a remote attacker can cause the operation to take the max execution time, consuming resources.
- An Xml eXternal Entity (XXE) injection flaw is triggered during the parsing of XML data in SVG or XMP files. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker to consume all system resources, making the web server unresponsive.
- A quadratic blowup XXE injection flaw is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can exhaust memory up to the memory_limit set by PHP.
- A flaw in the 'includes/upload/UploadBase.php' script is triggered when the SVG filter does not adequately protect against certain style declarations. This may allow a remote attacker to bypass the SVG filter.
- A flaw exists that allows a stored 1.26.3 attack. This flaw exists because the program does not validate during custom JavaScript previews before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists in the 'includes/upload/UploadBase.php' script. The issue is due to the check for animating an element's href to a JavaScript URL being insufficient. This may allow a remote attacker to bypass the blacklist filter.
- Scribunto Extension contains a flaw that allows a stored 1.26.3 attack. This flaw exists because the 'Lua Error Backtraces' function in the 'engines/LuaCommon/LuaCommon.php' script does not validate input when handling names before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- CheckUser Extension contains a flaw as user rights are not properly checked when handling HTTP requests to 'specials/SpecialCheckUser.php' that do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to have their reputation damaged or their logs flooded.
- A flaw exists that allows a 1.26.3 attack. This flaw exists because the program does not validate input encoded entities in SVG files before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MediaWiki version 1.24.2. If 1.24.x cannot be obtained, versions 1.23.9, and 1.19.24 have also been patched for these vulnerabilities.

See Also

https://blog.wikimedia.org/2015/04/20/improving-security-for-our-users

Plugin Details

Severity: Medium

ID: 9471

Family: CGI

Published: 8/5/2016

Updated: 3/6/2019

Nessus ID: 86690

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Patch Publication Date: 3/31/2015

Vulnerability Publication Date: 3/31/2015

Reference Information

CVE: CVE-2014-9714, CVE-2015-2931, CVE-2015-2932, CVE-2015-2933, CVE-2015-2934, CVE-2015-2935, CVE-2015-2936, CVE-2015-2937, CVE-2015-2938, CVE-2015-2939, CVE-2015-2940, CVE-2015-2941, CVE-2015-2942

BID: 73477