Red Hat Bugzilla – Bug 476621
mediawiki: multiple XSS and CSRF issues (CVE-2008-5249, CVE-2008-5250, CVE-2008-5252, CVE-2008-5687, CVE-2008-5688)
Last modified: 2016-01-26 07:47:55 EST
MediWiki upstream released new upstream versions -- 1.13.3, 1.12.1 and 1.6.11 -- with multiple security fixes:
* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.
Further details in the upstream announcement:
CVEs assigned to the mentioned MediaWiki update:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through
1.13.2 allows remote attackers to inject arbitrary web script or HTML
via unspecified vectors.
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11,
1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer
is used and uploads are enabled, or an SVG scripting browser is used
and SVG uploads are enabled, allows remote authenticated users to
inject arbitrary web script or HTML by editing a wiki page.
Cross-site request forgery (CSRF) vulnerability in the Special:Import
feature in MediaWiki 1.3.0 through 1.6.10, 1.12.x before 1.12.2, and
1.13.x before 1.13.3 allows remote attackers to perform unspecified
actions as authenticated users via unknown vectors.
As well as other two issue mentioned in the upstream announcement, treated as security enhancement rather than vulnerability fixes by upstream:
MediaWiki 1.11 through 1.13.3 does not properly protect against the
download of backups of deleted images, which might allow remote
attackers to obtain sensitive information via requests for files in
MediaWiki 1.8.1 through 1.13.3, when the wgShowExceptionDetails
variable is enabled, sometimes provides the full installation path in
a debugging message, which might allow remote attackers to obtain
sensitive information via unspecified requests that trigger an
(Path disclosure is not really an issue for Fedora packages, that install MediaWiki in a known directory.)
mediawiki-1.13.3-42.fc9 has been submitted as an update for Fedora 9.
mediawiki-1.13.3-41.99.fc8 has been submitted as an update for Fedora 8.
mediawiki-1.13.3-42.fc10 has been submitted as an update for Fedora 10.
mediawiki-1.13.3-41.99.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.13.3-42.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.13.3-42.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.