FreeBSD : mediawiki -- multiple vulnerabilities (f36bbd66-aa44-11e5-8f5c-002590263bf5)

Medium Nessus Plugin ID 87616


The remote FreeBSD host is missing one or more security-related updates.


MediaWiki reports :

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as '$1' are fine, as are '/wiki/$1'. A value such as '$1' or 'wiki/$1' is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison.

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads.

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength.

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued.

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 87616

File Name: freebsd_pkg_f36bbd66aa4411e58f5c002590263bf5.nasl

Version: $Revision: 2.3 $

Type: local

Published: 2015/12/29

Modified: 2018/01/31

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mediawiki123, p-cpe:/a:freebsd:freebsd:mediawiki124, p-cpe:/a:freebsd:freebsd:mediawiki125, p-cpe:/a:freebsd:freebsd:mediawiki126, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/12/24

Vulnerability Publication Date: 2015/12/18

Reference Information

CVE: CVE-2015-8622, CVE-2015-8623, CVE-2015-8624, CVE-2015-8625, CVE-2015-8626, CVE-2015-8627, CVE-2015-8628