MediaWiki < 1.23.12 / 1.24.5 / 1.25.4 / 1.26.1 Multiple Vulnerabilities

low Nessus Network Monitor Plugin ID 9473

Synopsis

The remote web server is running a PHP application that is out of date

Description

The version of MediaWiki installed is 1.23.x earlier than 1.23.12, 1.24.x earlier than 1.24.5, or 1.25.x earlier than 1.25.4, or 1.26.x earlier than 1.26.1. Therefore, it is affected by multiple vulnerabilities :

- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'includes/Setup.php' script does not ensure that the 'wgArticlePath' variable is set to an absolute path. This may allow a remote attacker to create a page with a specially crafted name referenced by another page, allowing the execution of arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8622)
- A flaw in the 'User::matchEditToken()' function within 'includes/user/User.php' is due to the program failing to use constant-time string comparisons. This may allow a remote attacker to conduct a timing attack in order to determine tokens. (CVE-2015-8623, 2015-8624)
- A flaw exists within the 'CurlHttpRequest::execute()' function inside of 'includes/HttpFunctions.php' and the 'MultiHttpClient::getCurlHandle()' function inside of 'includes/libs/MultiHttpClient.php'. The issue is triggered as the functions do not properly handle POST parameters starting with an '@' character. This may allow a remote attacker to potentially disclose the contents of arbitrary files. (CVE-2015-8625)
- A flaw within the 'passwordFactory::generateRandomPasswordString()' function in 'includes/password/PasswordFactory.php' is triggered as the 'User::randomPassword()' method generates passwords without honoring configured policies for minimum password lengths. This may result in users having weaker passwords than intended. (CVE-2015-8626)
- A flaw exists within the 'includes/utils/IP.php' script that is due to the application failing to properly parse IP addresses. This may cause an administrative user to accidentally block IP addresses not intended to be blocked. (CVE-2015-8627)
- A flaw is triggered when handling a redirect from multiple pages. With a specially crafted web page, a context-dependent attacker can disclose the username for a given user. (CVE-2015-8628)

Solution

Upgrade to MediaWiki version 1.26.1. If 1.26.x cannot be obtained, versions 1.25.4, 1.24.5, and 1.23.12 have also been patched for these vulnerabilities.

See Also

https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html

Plugin Details

Severity: Low

ID: 9473

Family: CGI

Published: 8/5/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Patch Publication Date: 12/18/2015

Vulnerability Publication Date: 12/18/2015

Reference Information

CVE: CVE-2015-8622, CVE-2015-8623, CVE-2015-8625, CVE-2015-8626, CVE-2015-8627, CVE-2015-8628

BID: 77372