Bug 287881 (CVE-2007-4828)

Summary: CVE-2007-4828 mediawiki cross-site scripting vulnerability
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: mediawikiAssignee: Axel Thimm <axel.thimm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 7CC: fedora, roozbeh, ville.skytta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26772/
Whiteboard: source=gentoo,reported=20070911,public=20070911
Fixed In Version: 1.9.4-35.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-18 03:22:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2007-09-12 16:01:13 UTC 
Secunia published security advisory for mediawiki:

http://secunia.com/advisories/26772/


A vulnerability has been reported in MediaWiki, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Input passed to unspecified parameters in the API pretty-printing mode is not
properly sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of
an affected site.

Successful exploitation requires that the API interface is enabled.

The vulnerability is reported in the following versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

Solution: Update to version 1.11.0, 1.10.2, 1.9.4, or 1.8.5.


Versions currently in Fedora falls into "affected" range, even though there is
following note in changelog for release 1.9.3-34:

- Update to 1.9.4.

It only seems to be typo.  If there's any other reason why Fedora packages are
not affected, feel free to close this bug with appropriate comment.
Comment 1 Ville Skyttä 2007-09-12 18:35:28 UTC 
Builds done for all active Fedora releases, waiting for them to be pushed.
Comment 2 Fedora Update System 2007-09-18 03:22:36 UTC 
mediawiki-1.9.4-35.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.