Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2008-4408: XSS in mediawiki

Related Vulnerabilities: CVE-2008-4408  

Source

Debian Bug report logs - #501115
CVE-2008-4408: XSS in mediawiki

version graph

Package: mediawiki; Maintainer for mediawiki is Kunal Mehta <legoktm@debian.org>; Source for mediawiki is src:mediawiki (PTS, buildd, popcon).

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 4 Oct 2008 08:57:01 UTC

Severity: important

Tags: security

Fixed in versions mediawiki/1:1.13.2-1, mediawiki/1:1.12.0-2lenny1

Done: Romain Beauxis <toots@rastageeks.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#501115; Package mediawiki. (Sat, 04 Oct 2008 08:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sat, 04 Oct 2008 08:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-4408: XSS in mediawiki
Date: Sat, 04 Oct 2008 18:52:17 +1000
Package: mediawiki
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediawiki.

CVE-2008-4408[0]:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter 
to an unspecified component.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://web.nvd.nist.gov/view/vuln/detail?execution=e6s1
    http://security-tracker.debian.net/tracker/CVE-2008-4408

Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. (Sat, 11 Oct 2008 14:09:06 GMT) (full text, mbox, link).

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 11 Oct 2008 14:09:06 GMT) (full text, mbox, link).

Message #10 received at 501115-close@bugs.debian.org (full text, mbox, reply):

From: Romain Beauxis <toots@rastageeks.org>
To: 501115-close@bugs.debian.org
Subject: Bug#501115: fixed in mediawiki 1:1.13.2-1
Date: Sat, 11 Oct 2008 13:47:05 +0000
Source: mediawiki
Source-Version: 1:1.13.2-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.13.2-1_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.13.2-1_amd64.deb
mediawiki_1.13.2-1.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.13.2-1.diff.gz
mediawiki_1.13.2-1.dsc
  to pool/main/m/mediawiki/mediawiki_1.13.2-1.dsc
mediawiki_1.13.2-1_all.deb
  to pool/main/m/mediawiki/mediawiki_1.13.2-1_all.deb
mediawiki_1.13.2.orig.tar.gz
  to pool/main/m/mediawiki/mediawiki_1.13.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 11 Oct 2008 15:02:39 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.13.2-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 501115
Changes: 
 mediawiki (1:1.13.2-1) unstable; urgency=low
 .
   * New upstream release
   * Fix CVE-2008-4408: XSS in mediawiki:
     "Cross-site scripting (XSS) vulnerability allows remote attackers
      to inject arbitrary web script or HTML via the useskin parameter
      to an unspecified component."
   Closes: #501115
Checksums-Sha1: 
 4182a4d59ac292fb86e68e37a9eb9f0076296494 1524 mediawiki_1.13.2-1.dsc
 c6f6e404ee9152deeec63cdc3278a2a57d556efe 9050636 mediawiki_1.13.2.orig.tar.gz
 e473990cf381b5bfc8f2871928a601d5a4a8dfcd 29040 mediawiki_1.13.2-1.diff.gz
 150375e255d08a62398c2ea8cbccdf748674bb9e 9065566 mediawiki_1.13.2-1_all.deb
 4d24ef9575df70cad1360459a74d60e278be3c60 155828 mediawiki-math_1.13.2-1_amd64.deb
Checksums-Sha256: 
 96bb918cc7d0349890812fdf0c2af474450a0aea5b89a02ea08adcd79773a64c 1524 mediawiki_1.13.2-1.dsc
 8c6db8a15f538fe0d8f67f2bcc711929d38f87f99191474733cc218d91fb3792 9050636 mediawiki_1.13.2.orig.tar.gz
 c7285d105b59fdb016484cf2687c70e34886de1d604e70dc4c7e4fa45802d16b 29040 mediawiki_1.13.2-1.diff.gz
 3d6c40c4543a40a3ae557bafe82860534d369574bda9019491e0af4f6349aba9 9065566 mediawiki_1.13.2-1_all.deb
 aa5672a235aa0879d77f65f39a9da223aea3859b5c947499280a9194cad9656c 155828 mediawiki-math_1.13.2-1_amd64.deb
Files: 
 82c1f2780c0444d2a6f4d42401d3f08b 1524 web optional mediawiki_1.13.2-1.dsc
 e10f791ba9ecd02dd751a5676cc84405 9050636 web optional mediawiki_1.13.2.orig.tar.gz
 770da65c6365e29200980a1522ef2517 29040 web optional mediawiki_1.13.2-1.diff.gz
 2526ca64528352ecbc91a288f8747279 9065566 web optional mediawiki_1.13.2-1_all.deb
 95bdd23f61663c689c6a5ade317fab33 155828 web optional mediawiki-math_1.13.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJI8KnvAAoJEAC5aaocqV0ZO9oIAJ1lTe6Lo8t17p9tYuBBA1CX
Vz7oRe8enCvonqPO+G56gF/LNUdjIjgwKI4L0PtoPfkGURVig0QkRebkHPmcgVF6
yyZ457brA2NgIQx5KjnlFFVqNX+4ufSWnksmRHLSfikiEYleWd3nCTs4LErXfF/l
+5KkzKytQSjFtREkhwvvEPxM2d3WmGBob4hVBvDygK7nk/22yOoqHAU/zXjHeQID
wzEOlBfCxh6mXskG/1LjuLh/TVoygOxMwg4GOVYUAvyX/rOAVCTVV1EnmYqLCzus
+wP6CstgJn3ZvXk6IVGh9vzoayvdT+Mj0sduMYLmlHSN1VczNulBvDK3W7hhHt4=
=qgGp
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#501115; Package mediawiki. (Sun, 12 Oct 2008 03:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sun, 12 Oct 2008 03:33:02 GMT) (full text, mbox, link).

Message #15 received at 501115@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: 501115@bugs.debian.org
Subject: mediawiki: 501115: fix security issue in Lenny???
Date: Sun, 12 Oct 2008 11:04:43 +0800
[Message part 1 (text/plain, inline)]
Hi,

Are the mediawiki maintainers going to fix this security issue in Lenny?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#501115; Package mediawiki. (Tue, 14 Oct 2008 10:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 14 Oct 2008 10:36:06 GMT) (full text, mbox, link).

Message #20 received at 501115@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Paul Wise <pabs@debian.org>, 501115@bugs.debian.org
Subject: Re: Bug#501115: mediawiki: 501115: fix security issue in Lenny???
Date: Tue, 14 Oct 2008 12:28:32 +0200
[Message part 1 (text/plain, inline)]
Hi Paul,
* Paul Wise <pabs@debian.org> [2008-10-12 11:56]:
> Are the mediawiki maintainers going to fix this security issue in Lenny?

Yes, the security team already was contacted by the 
maintainer.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. (Tue, 14 Oct 2008 23:21:06 GMT) (full text, mbox, link).

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Tue, 14 Oct 2008 23:21:06 GMT) (full text, mbox, link).

Message #25 received at 501115-close@bugs.debian.org (full text, mbox, reply):

From: Romain Beauxis <toots@rastageeks.org>
To: 501115-close@bugs.debian.org
Subject: Bug#501115: fixed in mediawiki 1:1.12.0-2lenny1
Date: Tue, 14 Oct 2008 22:32:21 +0000
Source: mediawiki
Source-Version: 1:1.12.0-2lenny1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.12.0-2lenny1_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny1_amd64.deb
mediawiki_1.12.0-2lenny1.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1.diff.gz
mediawiki_1.12.0-2lenny1.dsc
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1.dsc
mediawiki_1.12.0-2lenny1_all.deb
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Oct 2008 15:56:19 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny1
Distribution: testing-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 501115
Changes: 
 mediawiki (1:1.12.0-2lenny1) testing-security; urgency=high
 .
   * Security update, fix CVE-2008-4408:
   "Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
    and possibly other versions before 1.13.2 allows remote attackers
    to inject arbitrary web script or HTML via the useskin parameter
    to an unspecified component."
   Closes: #501115
Checksums-Sha1: 
 b73d2e9f22b5836cc4ecc2f3c9e9aeda977cd803 1548 mediawiki_1.12.0-2lenny1.dsc
 48bf1877f60c317cbe93c072187dfe9c1aa3b857 7188806 mediawiki_1.12.0.orig.tar.gz
 650eb2fa1c6c59c64eb55c2e0551983837ba9edc 30264 mediawiki_1.12.0-2lenny1.diff.gz
 59e4ab15a9b7c6127c9f60d509451ffda5c2b6d2 7218492 mediawiki_1.12.0-2lenny1_all.deb
 441faa1c548804922f78b7e0fed478ddf4294b84 155720 mediawiki-math_1.12.0-2lenny1_amd64.deb
Checksums-Sha256: 
 12ba1066d90517470296cbc170b17e3a6d55ad1f7b23c9c22b73f42be1b887ba 1548 mediawiki_1.12.0-2lenny1.dsc
 478b38b29f0f6e661b6c632f39e570d654f83c5069b69de2f187b43c20bc8809 7188806 mediawiki_1.12.0.orig.tar.gz
 5d0e5225cbd3badf288a08e12c238b437ec68f5792009aa644188d9e8ad22c15 30264 mediawiki_1.12.0-2lenny1.diff.gz
 73478a19b754b8da8cc35bd2a64c5595a598b59ae4eab5f859c3ba19eae1af49 7218492 mediawiki_1.12.0-2lenny1_all.deb
 85f749d2273bef3088f54e0da7ebd34647e0702f435ee4bd51313bf8a71f9876 155720 mediawiki-math_1.12.0-2lenny1_amd64.deb
Files: 
 cad09bb22a496c7a2f19572f60709606 1548 web optional mediawiki_1.12.0-2lenny1.dsc
 117a1360f440883a51f0ebca32906ea0 7188806 web optional mediawiki_1.12.0.orig.tar.gz
 ed5b93cec75b1a6087f1397933c7023d 30264 web optional mediawiki_1.12.0-2lenny1.diff.gz
 c7623776252637a40902f25e7ad8c860 7218492 web optional mediawiki_1.12.0-2lenny1_all.deb
 7a30091d20abfa6601f4efe275f8e9cc 155720 web optional mediawiki-math_1.12.0-2lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJI9LwyAAoJEAC5aaocqV0Zq/cIAKv3kOWSwofdgfbgbZ8HHTNG
Hb4rq8e8eqzqwL9BJ/o5aGo5rGMTMi4TWo1qEQf6cHxXWpHKPUpXaxIIgA+t8tzM
Q6+jkCWecJhIBXkxQ+yu/rV7UgjxI3j2iZ3DMeoilaqqwVuFF6a7dbHAW2fedd0z
1k0ymRFtVn2ttcn5aTMzLvK3SBU/eBa89doDsW8DCUJPtbCfiZFisI31wz4hJHal
IFIs3haUkma7hQ4pIQ4lyeRsc02gZc8O+LLCMZdeu+ZDTV6CyCebYrPlIGNY2CGh
AFowfOmCuMW52jqZW0yU+V7x9BpFG5TJ0TS5RTqDDOumUl9h78BV7GouiTzNzrU=
=owDt
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 12 Nov 2008 07:32:31 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:15:04 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started