Bug 1104222 (CVE-2014-3966)

Summary: CVE-2014-3966 mediawiki: XSS flaw due to improper parsing of Special:PasswordReset
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, gwync, ian, jrusnack, mike, puiterwijk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mediawiki 1.22.7, mediawiki 1.21.10, mediawiki 1.19.16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-10 23:22:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1104223, 1104224, 1104225    
Bug Blocks:    

Description Vincent Danen 2014-06-03 14:33:59 UTC 
New versions of MediaWiki have been announced [1] to fix the following flaw [2]:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary.

This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7.  A CVE has been requested [4].

[1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
[3] https://gerrit.wikimedia.org/r/#/c/136131/
[4] http://openwall.com/lists/oss-security/2014/06/03/7
Comment 1 Vincent Danen 2014-06-03 14:34:55 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1104223]
Affects: epel-5 [bug 1104224]
Comment 2 Vincent Danen 2014-06-03 14:34:57 UTC 
Created mediawiki119 tracking bugs for this issue:

Affects: epel-all [bug 1104225]
Comment 3 Vincent Danen 2014-06-04 17:52:07 UTC 
Mediawiki 1.21.10 is in testing for both Fedora 19 and 20.
Comment 4 Fedora Update System 2014-08-22 19:17:43 UTC 
mediawiki119-1.19.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.