MediaWiki 1.23.x < 1.23.15 / 1.26.x < 1.26.4 / 1.27.x < 1.27.1 Multiple Vulnerabilities

Medium Nessus Plugin ID 93195

Synopsis

An application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its version number, the MediaWiki application running on the remote web server is 1.23.x prior to 1.23.15, 1.26.x prior to 1.26.4, or 1.27.x prior to 1.27.1. It is, therefore, affected by the following vulnerabilities :

- An information disclosure vulnerability exists in the ApiParse.php script due to improper checking of read permissions when loading page content. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2016-6331)

- A security bypass vulnerability exists due to a failure to timeout a user's session after it has been blocked.
An authenticated, remote attacker can exploit this to bypass block features. (CVE-2016-6332)

- A cross-site request forgery vulnerability (XSRF) exists in the OutputPage.php script due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to perform arbitrary edits to CSS content. (CVE-2016-6333)

- A cross-site scripting (XSS) vulnerability exists in the Html.php script due to improper validation of user-supplied input when handling improper inline style blocks via the CSS user subpage preview feature. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-6333)

- A cross-site scripting (XSS) vulnerability exists in the Parser.php script due to improper validation of input to unclosed internal links. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-6334)

- A flaw exists in the ApiParse.php script due to head items not being properly generated in the context of a title. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-6335)

- A flaw exists in the LocalFile.php script that allows an authenticated, remote attacker to bypass suppressed viewing restrictions by deleting a file and then undeleting a specific revision of it. (CVE-2016-6336)

- A security bypass vulnerability exists in the User.php script due to improper handling of extension hook functions. An unauthenticated, remote attacker can exploit this to bypass permission restrictions. Note that this vulnerability affects 1.27.x only.
(CVE-2016-6337)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to MediaWiki version 1.23.15 / 1.26.4 / 1.27.1 or later.

See Also

http://www.nessus.org/u?8b9ed785

https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.15

https://www.mediawiki.org/wiki/Release_notes/1.26#MediaWiki_1.26.4

https://www.mediawiki.org/wiki/Release_notes/1.27#MediaWiki_1.27.1

Plugin Details

Severity: Medium

ID: 93195

File Name: mediawiki_1_27_1.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 2016/08/29

Updated: 2019/11/14

Dependencies: 19233

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2016-6337

CVSS v2.0

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:ND

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Required KB Items: Settings/ParanoidReport, installed_sw/MediaWiki

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/23

Vulnerability Publication Date: 2016/08/23

Reference Information

CVE: CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336, CVE-2016-6337