MediaWiki 1.23.x < 1.23.15 / 1.26.x < 1.26.4 / 1.27.x < 1.27.1 Multiple Vulnerabilities
Critical Nessus Network Monitor Plugin ID 9824
SynopsisThe remote web server is running a PHP application that is out of date.
DescriptionThe version of MediaWiki installed is 1.23.x prior to 1.23.15, 1.26.x prior to 1.26.4, or 1.27.x prior to 1.27.1, and is affected by multiple vulnerabilities :
- A flaw exists as HTTP requests to 'includes/OutputPage.php' do not require multiple steps, or explicit confirmation while utilizing predictable edit tokens. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to edit CSS content. (OSVDB 143393)
- A flaw exists in 'includes/api/ApiParse.php' that is triggered as head items are not properly generated in the context of the title. This may allow a remote attacker to have an unspecified impact. (OSVDB 143394)
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'includes/parser/Parser.php' script does not validate input to unclosed internal links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 143395)
- A flaw exists that allows a XSS attack. This flaw exists because the 'Html:inlineStyle()' function in 'includes/Html.php' does not validate input when handling improper inline style blocks via the CSS user subpage preview feature before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 143396)
- A flaw exists in the 'includes/filerepo/file/LocalFile.php' script that may allow an authenticated remote attacker to bypass suppressed viewing restrictions by deleting a file and then undeleting a specific revision of it. (OSVDB 143397)
- A flaw exists that is due to the program failing to timeout a user's session after they have been blocked. This may allow a remote attacker to bypass block features. (OSVDB 143398)
- A flaw exists in the 'includes/user/User.php' script that is triggered during the handling of extension hook functions. This may allow a remote attacker to bypass permission restrictions. (OSVDB 143399)
- A flaw exists in the 'includes/api/ApiParse.php' script that is triggered as read permissions are not properly checked when loading page content. This may allow a remote attacker to gain access to sensitive information and bypass the 'Lockdown' extension. (OSVDB 143400)
SolutionUpgrade to MediaWiki version 1.27.1. If 1.27.x cannot be obtained, versions 1.26.4 and 1.23.15 have also been patched for these vulnerabilities.