MediaWiki 1.23.x < 1.23.15 / 1.26.x < 1.26.4 / 1.27.x < 1.27.1 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9824

Synopsis

The remote web server is running a PHP application that is out of date.

Description

The version of MediaWiki installed is 1.23.x prior to 1.23.15, 1.26.x prior to 1.26.4, or 1.27.x prior to 1.27.1, and is affected by multiple vulnerabilities :

- A flaw exists as HTTP requests to 'includes/OutputPage.php' do not require multiple steps, or explicit confirmation while utilizing predictable edit tokens. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to edit CSS content.
- A flaw exists in 'includes/api/ApiParse.php' that is triggered as head items are not properly generated in the context of the title. This may allow a remote attacker to have an unspecified impact.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'includes/parser/Parser.php' script does not validate input to unclosed internal links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a XSS attack. This flaw exists because the 'Html:inlineStyle()' function in 'includes/Html.php' does not validate input when handling improper inline style blocks via the CSS user subpage preview feature before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists in the 'includes/filerepo/file/LocalFile.php' script that may allow an authenticated remote attacker to bypass suppressed viewing restrictions by deleting a file and then undeleting a specific revision of it.
- A flaw exists that is due to the program failing to timeout a user's session after they have been blocked. This may allow a remote attacker to bypass block features.
- A flaw exists in the 'includes/user/User.php' script that is triggered during the handling of extension hook functions. This may allow a remote attacker to bypass permission restrictions.
- A flaw exists in the 'includes/api/ApiParse.php' script that is triggered as read permissions are not properly checked when loading page content. This may allow a remote attacker to gain access to sensitive information and bypass the 'Lockdown' extension.

Solution

Upgrade to MediaWiki version 1.27.1. If 1.27.x cannot be obtained, versions 1.26.4 and 1.23.15 have also been patched for these vulnerabilities.

See Also

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Plugin Details

Severity: Critical

ID: 9824

Family: CGI

Published: 2016/12/09

Updated: 2019/03/06

Dependencies: 1442

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Patch Publication Date: 2016/08/23

Vulnerability Publication Date: 2016/08/23

Reference Information

CVE: CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336, CVE-2016-6337