Detections
Analytics

FreeBSD : mediawiki -- multiple vulnerabilities (8d04cfbd-344d-11e0-8669-0025222482c5)

medium Nessus Plugin ID 51915

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Medawiki reports :

An arbitrary script inclusion vulnerability was discovered. The vulnerability only allows execution of files with names ending in '.php' which are already present in the local filesystem. Only servers running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade, since there is a risk of complete server compromise. MediaWiki 1.8.0 and later is affected.

Security researcher mghack discovered a CSS injection vulnerability.
For Internet Explorer and similar browsers, this is equivalent to an XSS vulnerability, that is to say, it allows the compromise of wiki user accounts. For other browsers, it allows private data such as IP addresses and browsing patterns to be sent to a malicious external web server. It affects all versions of MediaWiki. All users are advised to upgrade.

Solution

Update the affected package.

See Also

https://phabricator.wikimedia.org/T29094

https://phabricator.wikimedia.org/T29093

http://www.nessus.org/u?0d631580

http://www.nessus.org/u?7088764f

http://www.nessus.org/u?7b6eba5f

Plugin Details

Severity: Medium

ID: 51915

File Name: freebsd_pkg_8d04cfbd344d11e086690025222482c5.nasl

Version: 1.9

Type: local

Published: 2/9/2011

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mediawiki, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/9/2011

Vulnerability Publication Date: 2/1/2011

Reference Information

CVE: CVE-2011-0047