FreeBSD : mediawiki -- multiple vulnerabilities (7c0fecd6-f42f-11e1-b17b-000c2977ec30)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing one or more security-related

Description :

MediaWiki reports :

(Bug 39700) Wikipedia administrator Writ Keeper discovered a stored
XSS (HTML injection) vulnerability. This was possible due to the
handling of link text on File: links for nonexistent files. MediaWiki
1.16 and later is affected.

(Bug 39180) User Fomafix reported several DOM-based XSS
vulnerabilities, made possible by a combination of loose filtering of
the uselang parameter, and JavaScript gadgets on various language

(Bug 39180) During internal review, it was discovered that CSRF
tokens, available via the api, were not protected with X-Frame-Options
headers. This could lead to a CSRF vulnerability if the API response
is embedded in an external website using using an iframe.

(Bug 39824) During internal review, it was discovered extensions were
not always allowed to prevent the account creation action. This
allowed users blocked by the GlobalBlocking extension to create

(Bug 39184) During internal review, it was discovered that password
data was always saved to the local MediaWiki database even if
authentication was handled by an extension, such as LDAP. This could
allow a compromised MediaWiki installation to leak information about
user's LDAP passwords. Additionally, in situations when an
authentication plugin returned false in its strict function, this
would allow old passwords to be used for accounts that did not exist
in the external system, indefinitely.

(Bug 39823) During internal review, it was discovered that metadata
about blocks, hidden by a user with suppression rights, was visible to

See also :

Solution :

Update the affected packages.

Risk factor :


Family: FreeBSD Local Security Checks

Nessus Plugin ID: 61765 ()

Bugtraq ID:

CVE ID: CVE-2012-4377

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now