Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities

high Nessus Plugin ID 73256

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian host is missing a security update. It is, therefore, affected by multiple vulnerabilities in MediaWiki :

- A cross-site scripting (XSS) vulnerability exists due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via specially crafted SVG files, to execute arbitrary script code in the user's browser session.
(CVE-2013-2031)

- A flaw exists in the password blocking mechanism due to two different tools being used to block password change requests, these being Special:PasswordReset and Special:ChangePassword, either of which may be bypassed by the method the other prevents. A remote attacker can exploit this issue to change passwords. (CVE-2013-2032)

- Multiple flaws exist in Sanitizer::checkCss due to the improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit these to bypass the blacklist. (CVE-2013-4567, CVE-2013-4568)

- A flaw exists due to multiple users being granted the same session ID within HTTP headers. A remote attacker can exploit this to authenticate as another random user. (CVE-2013-4572)

- A cross-site scripting (XSS) vulnerability exists in the /includes/libs/XmlTypeCheck.php script due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted XSL file, to execute arbitrary script code in the user's browser session. (CVE-2013-6452)

- A flaw exists in the /includes/upload/UploadBase.php script due to a failure to apply SVG sanitization when XML files are read as invalid. An unauthenticated, remote attacker can exploit this to upload non-sanitized XML files, resulting in an unspecified impact.
(CVE-2013-6453)

- A stored cross-site (XSS) scripting vulnerability exists in the /includes/Sanitizer.php script due to a failure to properly validate the '-o-link' attribute before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2013-6454)

- A flaw exists in the log API within the /includes/api/ApiQueryLogEvents.php script that allows an unauthenticated, remote attacker to disclose potentially sensitive information regarding deleted pages. (CVE-2013-6472)

- Multiple flaws exist in the PdfHandler_body.php, DjVu.php, Bitmap.php, and ImageHandler.php scripts when DjVu or PDF file upload support is enabled due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit these, via the use of shell metacharacters, to execute execute arbitrary shell commands. (CVE-2014-1610)

- A cross-site request forgery (XSRF) vulnerability exists in the includes/specials/SpecialChangePassword.php script due to a failure to properly handle a correctly authenticated but unintended login attempt. An unauthenticated, remote attacker, by convincing a user to follow a specially crafted link, can exploit this to reset the user's password. (CVE-2014-2665)

Solution

Upgrade the mediawiki packages. For the stable distribution (wheezy), these issues have been fixed in version 1:1.19.14+dfsg-0+deb7u1 of the mediawiki package and version 3.5~deb7u1 of the mediawiki-extensions package.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706601

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857

https://security-tracker.debian.org/tracker/CVE-2013-2031

https://security-tracker.debian.org/tracker/CVE-2013-2032

https://security-tracker.debian.org/tracker/CVE-2013-4567

https://security-tracker.debian.org/tracker/CVE-2013-4568

https://security-tracker.debian.org/tracker/CVE-2013-4572

https://security-tracker.debian.org/tracker/CVE-2013-6452

https://security-tracker.debian.org/tracker/CVE-2013-6453

https://security-tracker.debian.org/tracker/CVE-2013-6454

https://security-tracker.debian.org/tracker/CVE-2013-6472

https://security-tracker.debian.org/tracker/CVE-2014-1610

https://security-tracker.debian.org/tracker/CVE-2014-2665

https://packages.debian.org/source/wheezy/mediawiki

https://packages.debian.org/source/wheezy/mediawiki-extensions

http://www.debian.org/security/2014/dsa-2891

Plugin Details

Severity: High

ID: 73256

File Name: debian_DSA-2891.nasl

Version: 1.16

Type: local

Agent: unix

Published: 3/31/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mediawiki, p-cpe:/a:debian:debian_linux:mediawiki-extensions, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2014

Vulnerability Publication Date: 3/30/2014

Exploitable With

Core Impact

Metasploit (MediaWiki Thumb.php Remote Command Execution)

Elliot (MediaWiki thumb.php page Parameter Remote Shell Command Injection)

Reference Information

CVE: CVE-2013-2031, CVE-2013-2032, CVE-2013-4567, CVE-2013-4568, CVE-2013-4572, CVE-2013-6452, CVE-2013-6453, CVE-2013-6454, CVE-2013-6472, CVE-2014-1610, CVE-2014-2665

BID: 59594, 59595, 63757, 63760, 63761, 65003, 65223, 66600

DSA: 2891