MediaWiki < 1.23.12 / 1.24.5 / 1.25.4 / 1.26.1 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9473

Synopsis

The remote web server is running a PHP application that is out of date

Description

The version of MediaWiki installed is 1.23.x earlier than 1.23.12, 1.24.x earlier than 1.24.5, or 1.25.x earlier than 1.25.4, or 1.26.x earlier than 1.26.1. Therefore, it is affected by multiple vulnerabilities :

- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'includes/Setup.php' script does not ensure that the 'wgArticlePath' variable is set to an absolute path. This may allow a remote attacker to create a page with a specially crafted name referenced by another page, allowing the execution of arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8622)
- A flaw in the 'User::matchEditToken()' function within 'includes/user/User.php' is due to the program failing to use constant-time string comparisons. This may allow a remote attacker to conduct a timing attack in order to determine tokens. (CVE-2015-8623, 2015-8624)
- A flaw exists within the 'CurlHttpRequest::execute()' function inside of 'includes/HttpFunctions.php' and the 'MultiHttpClient::getCurlHandle()' function inside of 'includes/libs/MultiHttpClient.php'. The issue is triggered as the functions do not properly handle POST parameters starting with an '@' character. This may allow a remote attacker to potentially disclose the contents of arbitrary files. (CVE-2015-8625)
- A flaw within the 'passwordFactory::generateRandomPasswordString()' function in 'includes/password/PasswordFactory.php' is triggered as the 'User::randomPassword()' method generates passwords without honoring configured policies for minimum password lengths. This may result in users having weaker passwords than intended. (CVE-2015-8626)
- A flaw exists within the 'includes/utils/IP.php' script that is due to the application failing to properly parse IP addresses. This may cause an administrative user to accidentally block IP addresses not intended to be blocked. (CVE-2015-8627)
- A flaw is triggered when handling a redirect from multiple pages. With a specially crafted web page, a context-dependent attacker can disclose the username for a given user. (CVE-2015-8628)

Solution

Upgrade to MediaWiki version 1.26.1. If 1.26.x cannot be obtained, versions 1.25.4, 1.24.5, and 1.23.12 have also been patched for these vulnerabilities.

See Also

https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html

Plugin Details

Severity: Medium

ID: 9473

File Name: 9473.prm

Family: CGI

Published: 2016/08/05

Modified: 2016/08/05

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 3.6

Temporal Score: 3.4

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Patch Publication Date: 2015/12/18

Vulnerability Publication Date: 2015/12/18

Reference Information

CVE: CVE-2015-8622, CVE-2015-8623, CVE-2015-8625, CVE-2015-8626, CVE-2015-8627, CVE-2015-8628

BID: 77372