Bug 1369613 (CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336) - CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-2016-6336 mediawiki: multiple flaws fixed in 1.27.1, 1.26.4 and 1.23.15
Summary: CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-201...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160820,repor...
Depends On: 1369615 1369614
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-24 01:29 UTC by Jeremy Choi
Modified: 2019-06-08 21:24 UTC (History)
4 users (show)

Fixed In Version: mediawiki 1.27.1, mediawiki 1.26.4, mediawiki 1.23.15
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:57:49 UTC


Attachments (Terms of Use)

Description Jeremy Choi 2016-08-24 01:29:25 UTC
Multiple flaws have been reported on mediawiki. 

T115333: API action=parse does not check-per title read permissions
= Flaw =
  MediaWiki does not properly respect results from extensions that deny
read access to certain pages via the userCan hook.
= Exploit =
  Users may gain inadvertent access to pages which extensions (such as
Lockdown) have been configured to disallow.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T115333

T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out
= Flaw =
  On wikis which have been configured with $wgBlockDisablesLogin set
true, blocked user sessions are not terminated at the time that the user
account is blocked.
= Exploit =
  Blocked users will continue to have access to the wiki for the
duration of their login session.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T129738

T133147: XSS via CSS user subpage preview feature
= Flaw =
  When previewing Special:Mypage/common.css, the contents are included
in an inline <style> tag. However, "</style>" is not properly escaped,
allowing arbitrary HTML.
= Exploit =
  An attacker may execute a reflected cross-site scripting attack
against non-authenticated users.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T133147

T137264: XSS in Parser::replaceInternalLinks2 during replacement of
percent encoding in unclosed internal links
= Flaw =
  MediaWiki does not properly process URL-encoded values when handling
unterminated internal links.
= Exploit =
  An attacker may submit content containing specially-crafted
unterminated links, leading to persistent cross-site scripting.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T137264

T139570: API action=parse&prop=headhtml leaks current user and their
tokens to third-party sites when used via JSONP
= Flaw =
  The result of a MediaWiki API call using JSONP reveals private user
data, including username and CSRF token.
= Exploit =
  An attacker may take advantage of the revealed information to
circumvent CSRF protection.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T139570

T132926: Admins can get around oversight (suppression) of file revisions
= Flaw =
  MediaWiki does not properly enforce access controls limiting
restoration of deleted or suppressed files.
= Exploit =
  Admins with insufficient permissions may restore deleted or suppressed
files.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
    1.26.x prior to 1.26.4
    1.23.x prior to 1.23.14
    and unsupported branches 1.22.x, 1.24.x and 1.25.x
= Reference =
  https://phabricator.wikimedia.org/T132926

T139670: Central auth global groups don't take session rights limit into
account
= Flaw =
  The UserGetRights runtime hook allowed extensions to grant permissions
that had previously been denied based on user session attributes.
= Exploit =
  Extensions using this hook may accidentally or maliciously add
permissions which had been explicitly disallowed.
= Affects =
  MediaWiki versions
    1.27.x prior to 1.27.1
= Reference =
  https://phabricator.wikimedia.org/T139670

Comment 1 Jeremy Choi 2016-08-24 01:30:03 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1369614]
Affects: epel-all [bug 1369615]

Comment 2 Andrej Nemec 2016-08-29 07:27:19 UTC
External references:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html

Comment 3 Andrej Nemec 2016-08-29 07:28:51 UTC
It seems that upstream changed the fixed in version of 1.23 branch to 1.23.15.

https://www.mediawiki.org/wiki/Release_notes/1.23#Changes_since_1.23.14

Comment 4 Fedora Update System 2016-09-06 18:24:19 UTC
mediawiki-1.27.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-09-06 22:23:47 UTC
mediawiki-1.26.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-09-07 01:49:40 UTC
mediawiki-1.26.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Product Security DevOps Team 2019-06-08 02:57:49 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.