MediaWiki 1.23.x < 1.23.14 / 1.25.x < 1.25.6 / 1.26.x < 1.26.3 Multiple Vulnerabilities

Medium Nessus Plugin ID 91856

Synopsis

An application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its version number, the MediaWiki application running on the remote web server is 1.23.x prior to 1.23.14, 1.25.x prior to 1.25.6, or 1.26.x prior to 1.26.3. It is, therefore, affected by the following vulnerabilities :

- A flaw exists due to a failure to invalidate tokens from previous user sessions when starting a new session. An authenticated, remote attacker can exploit this to hijack another user's session.

- A security bypass vulnerability exists in the SpecialUserlogin.php script due to improper handling of non-canonical usernames. An unauthenticated, remote attacker can exploit this to bypass login throttling.

- A flaw exists due to a cross-domain policy regular expression (regexp) that is too narrow. An unauthenticated, remote attacker can exploit this to supply parameters within the tag and insert malicious data.

- A denial of service vulnerability exists in the wfShellExec() function in the GlobalFunctions.php script due to missing string length limits for shell invocations. An authenticated, remote attacker can exploit this, via overly large commands, to crash the server.

- A privilege escalation vulnerability exists in the RawAction.php script to improper management of sessions when handling cached data. An authenticated, remote attacker can exploit this to log in as another user and gain elevated privileges.

- A security bypass vulnerability exists due to improper handling of specially-crafted, spoofed patrol links. An authenticated, remote attacker can exploit this to bypass restrictions and patrol arbitrary pages.

- A flaw exists in the WebStart.php script due to insufficient checks against mbstring.func_overload. An unauthenticated, remote attacker can exploit this, using the predictable results, to conduct a brute-force attack.

- A flaw exists when handling specially crafted requests that involve graphs. An unauthenticated, remote attacker can exploit this to disclose an edit token, allowing the attacker to then conduct a cross-site request forgery (XSRF) attack.

- A denial of service vulnerability exists in the generateDiffBody() function in the DifferenceEngine.php script that allows an authenticated, remote attacker to cause multiple diffs to be concurrently loaded, resulting in a consumption of significant resources.

- A cross-site redirection vulnerability exists due to a failure to securely use $wgExternalLinkTarget in the DefaultSettings.php script. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to redirect a user to a malicious website.

- A security bypass vulnerability exists in the ApiMove::execute() function in the ApiMove.php script due to a failure to properly rate limit the 'move API action'. An unauthenticated, remote attacker can exploit this to bypass intended rate restrictions on movement operations.

- An authentication security bypass vulnerability exists in the MWOldPassword.php, MWSaltedPassword.php, and Pbkdf2Password.php scripts due to improper handling of unsupported hash algorithms. An unauthenticated, remote attacker can exploit this to bypass authentication mechanisms. Note that this vulnerability only affects versions 1.25.x and 1.26.x.

- A flaw exists in the SpecialUserlogin.php script due to throttling password attempts for wiki accounts on a per-wiki basis rather than globally. An unauthenticated, remote attacker can exploit this to easily conduct brute-force attacks. Note that this vulnerability only affects versions 1.23.x and 1.25.x.

- A flaw exists in the includes/DefaultSettings.php script due to the 'pdkdf2' parameter not being hashed in a more secure manner, which can result in password hashes being less secure. A remote attacker can exploit this, using brute-force methods, to disclose the passwords.

- A cross-site scripting (XSS) vulnerability exists in the includes/upload/UploadBase.php script within the UploadBase::checkSvgScriptCallback() function, when uploading SVG files, due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to MediaWiki version 1.23.14 / 1.25.6 / 1.26.3 or later.

See Also

http://www.nessus.org/u?937cb355

https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.14

https://www.mediawiki.org/wiki/Release_notes/1.25#MediaWiki_1.25.6

https://www.mediawiki.org/wiki/Release_notes/1.26#MediaWiki_1.26.3

https://phabricator.wikimedia.org/T116030

https://phabricator.wikimedia.org/T123071

https://phabricator.wikimedia.org/T122653

Plugin Details

Severity: Medium

ID: 91856

File Name: mediawiki_1_26_3.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 2016/06/27

Updated: 2019/01/02

Dependencies: 19233

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Required KB Items: Settings/ParanoidReport, installed_sw/MediaWiki

Patch Publication Date: 2016/05/20

Vulnerability Publication Date: 2016/05/18