This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
MediaWiki reports :
(Bug 39700) Wikipedia administrator Writ Keeper discovered a stored
XSS (HTML injection) vulnerability. This was possible due to the
handling of link text on File: links for nonexistent files. MediaWiki
1.16 and later is affected.
(Bug 39180) User Fomafix reported several DOM-based XSS
vulnerabilities, made possible by a combination of loose filtering of
(Bug 39180) During internal review, it was discovered that CSRF
tokens, available via the api, were not protected with X-Frame-Options
headers. This could lead to a CSRF vulnerability if the API response
is embedded in an external website using using an iframe.
(Bug 39824) During internal review, it was discovered extensions were
not always allowed to prevent the account creation action. This
allowed users blocked by the GlobalBlocking extension to create
(Bug 39184) During internal review, it was discovered that password
data was always saved to the local MediaWiki database even if
authentication was handled by an extension, such as LDAP. This could
allow a compromised MediaWiki installation to leak information about
user's LDAP passwords. Additionally, in situations when an
authentication plugin returned false in its strict function, this
would allow old passwords to be used for accounts that did not exist
in the external system, indefinitely.
(Bug 39823) During internal review, it was discovered that metadata
about blocks, hidden by a user with suppression rights, was visible to
See also :
Update the affected packages.
Risk factor :
Family: FreeBSD Local Security Checks
Nessus Plugin ID: 61765 ()
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now