MediaWiki < 1.23.14 / 1.25.6 / 1.26.3 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9475

Synopsis

The remote web server is running a PHP application that is out of date

Description

The version of MediaWiki installed is 1.23.x earlier than 1.23.14, 1.25.x earlier than 1.25.6, or 1.26.x earlier than 1.26.3. Therefore, it is affected by multiple vulnerabilities :

- A flaw exists that is due to the program failing to invalidate tokens from previous user sessions when starting a new session. This may allow an authenticated remote attacker to more easily gain access to another user's session.
- A flaw in the 'includes/specials/SpecialUserlogin.php' script is triggered during the handling of non-canonicalized usernames. This may allow a remote attacker to bypass login throttling.
- A flaw exists that is due to the program implementing a cross-domain policy regexp that is too narrow. This may allow a remote attacker to supply parameters within the tag and potentially insert malicious data.
- A flaw exists in the 'wfShellExec()' function within the 'includes/GlobalFunctions.php' script that is due to missing string length limits for shell invocations. This may allow an authenticated remote attacker to provide overly large commands, resulting in a crash.
- A flaw in the 'includes/actions/RawAction.php' script is triggered as sessions are not properly managed when handling cached data. This may allow an authenticated remote attacker to log in as another user and gain elevated privileges.
- A flaw is triggered during the handling of a specially crafted spoofed patrol link. This may allow an authenticated remote attacker to bypass restrictions and patrol arbitrary pages.
- A flaw in the 'includes/WebStart.php' script is triggered as checks are not sufficiently performed against 'mbstring.func_overload'. This may result in more predictable results, allowing a remote attacker to more easily conduct a brute-force attack.
- A flaw exists that is triggered when handling specially crafted requests that involve graphs. This may disclose an edit token to an attacker, allowing them to e.g. conduct CSRF attacks.
- A flaw within the 'generateDiffBody()' function in the 'includes/diff/DifferenceEngine.php' script may allow an authenticated remote attacker to cause multiple diffs to be concurrently loaded, consuming significant resources. This may allow the attacker to severely degrade performance.
- A flaw exists that allows a cross-site redirection attack. This flaw exists because the application does not securely use '$wgExternalLinkTarget' within 'includes/DefaultSettings.php'. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker.
- A flaw in the 'ApiMove::execute()' function in the 'includes/api/ApiMove.php' script is triggered as the move API action is not properly rate limited. This may allow a remote attacker to bypass intended rate restrictions on movement operations.
- A flaw in the 'includes/password/MWOldPassword.php', 'includes/password/MWSaltedPassword.php', and 'includes/password/Pbkdf2Password.php' scripts is triggered during the handling of unknown hash algorithms. This may allow a remote attacker to bypass authentication mechanisms.
- A flaw in the 'includes/specials/SpecialUserlogin.php' script is triggered as password attempts for wiki accounts are throttled on a per-wiki basis, rather than globally. This may allow a remote attacker to more easily conduct brute-force attacks.
- A flaw in the 'includes/DefaultSettings.php' script is triggered as the 'pbkdf2' parameter is hashed less securely than possible, which can cause the program to create password hashes that are less secure than they would otherwise be.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'UploadBase::checkSvgScriptCallback()' function in the 'includes/upload/UploadBase.php' script does not validate input when uploading SVG files before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MediaWiki version 1.26.3. If 1.26.x cannot be obtained, versions 1.25.6, and 1.23.14 have also been patched for these vulnerabilities.

See Also

https://github.com/wikimedia/mediawiki/commit/fdc70074bbe9cec0e83a2ef512c356861e60dc88

https://github.com/wikimedia/mediawiki/commit/6e48d1e9d4ea10311cf1e2980391f02354f3af08

Plugin Details

Severity: Medium

ID: 9475

Family: CGI

Published: 8/5/2016

Updated: 3/6/2019

Nessus ID: 91856

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mediawiki:mediawiki

Patch Publication Date: 5/20/2016

Vulnerability Publication Date: 5/18/2016