CVE-2008-5250: several local script injection vulnerabilities in MediaWiki

Debian Bug report logs - #508869
CVE-2008-5250: several local script injection vulnerabilities in MediaWiki

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: submit@bugs.debian.org

Subject: CVE-2008-5250: several local script injection vulnerabilities in MediaWiki

Date: Mon, 15 Dec 2008 22:49:40 -0600

[Message part 1 (text/plain, inline)]

Package: mediawiki
Version: 1:1.7
Severity: grave
Tags: security patch

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
mediawiki.

[0]:
> * A local script injection vulnerability affecting Internet Explorer
> clients for all MediaWiki installations with uploads enabled.
> [CVE-2008-5250]
> * A local script injection vulnerability affecting clients with SVG
> scripting capability (such as Firefox 1.5+), for all MediaWiki
> installations with SVG uploads enabled. [CVE-2008-5250]

A patch fixing this and other issues can be found at [0].

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[0]http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5250
     http://security-tracker.debian.net/tracker/CVE-2008-5250

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

[signature.asc (application/pgp-signature, inline)]

Message #6 received at 508869-quiet@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: Romain Beauxis <toots@rastageeks.org>

Cc: control@bugs.debian.org, 508868@bugs.debian.org, 508869-quiet@bugs.debian.org, 508870-quiet@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: mediawiki: several security issues, help wanted !

Date: Mon, 15 Dec 2008 23:02:31 -0600

[Message part 1 (text/plain, inline)]

close 508860
thanks

Hi Romain et al,

On Monday 15 December 2008, Romain Beauxis wrote:
> Package: mediawiki
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> 	Hi all !
>
> Several security issues have unfortunately been noticed [1] in mediawiki
> that may affect for some any version of the software.

Sorry for filing the extra bugs, I clicked the send email button way too fast.
I am closing this one so that we can track the issues in individual bug 
reports.

>
> Unfortunately too, I will most likely be overhelmed during the next few
> months. As a consequence, any help is much desired on this issue. That
> package is SVN maintained so it shouldn't be difficult for any interested
> contributor.
>
> Romain
>
> [1]:
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/00008
>0.html

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 508869-close@bugs.debian.org (full text, mbox, reply):

From: Romain Beauxis <toots@rastageeks.org>

To: 508869-close@bugs.debian.org

Subject: Bug#508869: fixed in mediawiki 1:1.13.3-1

Date: Thu, 18 Dec 2008 02:02:05 +0000

Source: mediawiki
Source-Version: 1:1.13.3-1

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.13.3-1_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.13.3-1_amd64.deb
mediawiki_1.13.3-1.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.13.3-1.diff.gz
mediawiki_1.13.3-1.dsc
  to pool/main/m/mediawiki/mediawiki_1.13.3-1.dsc
mediawiki_1.13.3-1_all.deb
  to pool/main/m/mediawiki/mediawiki_1.13.3-1_all.deb
mediawiki_1.13.3.orig.tar.gz
  to pool/main/m/mediawiki/mediawiki_1.13.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 18 Dec 2008 02:37:58 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.13.3-1
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 508868 508869 508870
Changes: 
 mediawiki (1:1.13.3-1) unstable; urgency=low
 .
   * New upstream release.
   * Fix CVE-2008-5249: XSS vulnerability in MediaWiki:
   "An XSS vulnerability affecting all MediaWiki installations between
    1.13.0 and 1.13.2."
   Closes: #508868
   * Fix CVE-2008-5250: several local script injection vulnerabilities
     in MediaWiki:
   "o A local script injection vulnerability affecting Internet Explorer
      clients for all MediaWiki installations with uploads enabled.
    o A local script injection vulnerability affecting clients with SVG
      scripting capability (such as Firefox 1.5+), for all MediaWiki
      installations with SVG uploads enabled."
   Closes: #508869
   * Fix CVE-2008-5252: CSRF vulnerability affecting the Special:Import
     feature in MediaWiki:
   "A CSRF vulnerability affecting the Special:Import feature, for all
    MediaWiki installations since the feature was introduced in 1.3.0."
   Closes: #508870
Checksums-Sha1: 
 3e135baf85c04b975023211c0f377bdf7709a337 1524 mediawiki_1.13.3-1.dsc
 e6b19d170629c8657742236b9f827a6df0350efd 9252548 mediawiki_1.13.3.orig.tar.gz
 774702edccd95d4359e733338c6bd80902fdfd77 29264 mediawiki_1.13.3-1.diff.gz
 324c06f073e2f7c85c20ab05ec0eb260cd2e0e98 9232080 mediawiki_1.13.3-1_all.deb
 1454f6a20f320ff82a436dae4a2d04e2d143048b 156108 mediawiki-math_1.13.3-1_amd64.deb
Checksums-Sha256: 
 f0774ca4cdb7829756e66386c90f3400b8454741ceace122c67893fdd2eb07f4 1524 mediawiki_1.13.3-1.dsc
 da6962de7156def500ff926060d1d3d1db93ab94ee97620ca5ab8e444035a244 9252548 mediawiki_1.13.3.orig.tar.gz
 0028de6fc2e5085549a8467b997d6fa73cd72ea8ea651e8d9e6a54419992d39c 29264 mediawiki_1.13.3-1.diff.gz
 60fedf1897142f4ebf44ed1a679a9897f01262302321538c0197c539b8034401 9232080 mediawiki_1.13.3-1_all.deb
 a99fd89945b28dc66db35cf7179f77ceb3a52949640e1e0d4ce2d5fc5192b478 156108 mediawiki-math_1.13.3-1_amd64.deb
Files: 
 5216b3c299a168a1d941d0cd61adfc45 1524 web optional mediawiki_1.13.3-1.dsc
 01ecf3492ea92cea62da0a9381dc53e3 9252548 web optional mediawiki_1.13.3.orig.tar.gz
 eafc8c21576f059cedd3f9c1a084f673 29264 web optional mediawiki_1.13.3-1.diff.gz
 2eda5f5c42ea32c1a8ad1607db07b1b3 9232080 web optional mediawiki_1.13.3-1_all.deb
 a8f08c9efdea29d3c08c2bb4806b07db 156108 web optional mediawiki-math_1.13.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJSa0nAAoJEAC5aaocqV0Z7BcH/RQxTHk3QpC7SqOoCPCHdvNJ
D0LWdpOakbltNcGwbSR+yg//WFv0gfp28mGoVe639E5F1BIiBapmHpui3eb5rmpQ
SVZVcXlZpXuY2hdxmg15aOxql3D2HbUJ/q1OjK4Vasehg2Xzkw6NAwCXq4jJC94O
P8bC1PeIZcMG1Nk4+iTbR1hVuDMr7/Kzd6Q+oyuPaOh4VuIEF8glHAWgswqVlxLH
a2WyzF+73QWtl4YqidqDoDDivt2NVH7FqweyhdysVC0vIDBCknwtrVGX8KL0cu/u
hAJ00GASELZouT3jOWlSyXshQ+c+ubt8xgtPmKfOsUg3z1H6mL+K1VyZOy+G2oE=
=5IZk
-----END PGP SIGNATURE-----

Message #16 received at 508869@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 508869@bugs.debian.org

Subject: Re: Bug#508869: fixed in mediawiki 1:1.13.3-1

Date: Mon, 12 Jan 2009 07:51:54 +0100

Hi

This 'security' update was uploaded to unstable, but seems to be still
outstanding for testing. Unblocking the version from unstable doesn't
seem to be an option:

1130 files changed, 253693 insertions(+), 131172 deletions(-)

Can an upload be prepared with targeted fixes for the security issues?

Cheers

Luk

Message #21 received at 508869@bugs.debian.org (full text, mbox, reply):

From: Romain Beauxis <toots@rastageeks.org>

To: Luk Claes <luk@debian.org>, 508869@bugs.debian.org

Subject: Re: [Pkg-mediawiki-devel] Bug#508869: fixed in mediawiki 1:1.13.3-1

Date: Wed, 14 Jan 2009 02:23:49 +0100

Le Monday 12 January 2009 07:51:54 Luk Claes, vous avez écrit :
> Hi

	Hi !

> This 'security' update was uploaded to unstable, but seems to be still
> outstanding for testing. Unblocking the version from unstable doesn't
> seem to be an option:
>
> 1130 files changed, 253693 insertions(+), 131172 deletions(-)

Yes. Unstable version is new.

> Can an upload be prepared with targeted fixes for the security issues?

It can, it is not difficult, there is a security-fix patch upstream.
The main problem is that this patch is huge and includes new stuff and does 
not ony fix existing stuff.

The solution is to apply the security patch and have it reviewed and accepted 
by the security team.

However, I am way too busy these days to handle this. I have mentioned this in 
my original bug report (#508860) wich was later closed in favour of two more 
detailed ones.

I have also contacted the security team but didn't get any feedbacks. I know 
they are busy, of course.

The two issues should be quite easy to handle for any interested contributor 
looking at this message.

Romain

Message #26 received at 508869@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 508869@bugs.debian.org, 508870@bugs.debian.org

Cc: secure-testing-team@lists.alioth.debian.org

Subject: mediawiki: NMU to fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252

Date: Sun, 18 Jan 2009 12:17:01 +0100

[Message part 1 (text/plain, inline)]

Hi,

the attacked debdiff is for a proposed NMU to fix CVE-2008-5249, CVE-2008-5250,
CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)

mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high

  * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
  * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
    - Fixed output escaping for reporting of non-MediaWiki exceptions.
      Potential XSS if an extension throws one of these with user input.
    - Avoid fatal error in profileinfo.php when not configured.
    - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
      transwiki import feature.
    - Add a .htaccess to deleted images directory for additional protection
      against exposure of deleted files with known SHA-1 hashes on default
      installations.
    - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
      which are interpreted by IE as HTML.
    - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
      uploads are enabled. Firefox 1.5+ is affected.
    - Avoid streaming uploaded files to the user via index.php. This allows
      security-conscious users to serve uploaded files via a different domain,
      and thus client-side scripts executed from that domain cannot access the
      login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
    - When streaming files via index.php, use the MIME type detected from the
      file extension, not from the data. This reduces the XSS attack surface.
    - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
      XSS vulnerabilities involving uploads of files containing scripts.
  Closes: #508869, #508870

 -- Giuseppe Iuculano <giuseppe@iuculano.it>  Sun, 18 Jan 2009 11:54:02 +0100




Cheers,
Giuseppe

[mediawiki_1.12.0-2lenny2.debdiff.gz (application/x-gzip, inline)]

[signature.asc (application/pgp-signature, attachment)]

Message #31 received at 508869@bugs.debian.org (full text, mbox, reply):

From: Romain Beauxis <toots@rastageeks.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>, 508870@bugs.debian.org

Cc: 508869@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: [Pkg-mediawiki-devel] Bug#508870: mediawiki: NMU to fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252

Date: Sun, 18 Jan 2009 21:55:46 +0100

Le Sunday 18 January 2009 12:17:01 Giuseppe Iuculano, vous avez écrit :
> Hi,

	Hi !

> the attacked debdiff is for a proposed NMU to fix CVE-2008-5249,
> CVE-2008-5250, CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)

Many thanks for this patch and your work !

I have build a fixed package and tested it, it works ok. Also, the changes 
looks clean from the packaging point.

However, I won't comment on the content of the patch, I don't have enough time 
for that. I hope someone else can help reviewing it.


Romain

> mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
>
>   * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250,
> CVE-2008-5252 *
> debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch: - Fixed
> output escaping for reporting of non-MediaWiki exceptions. Potential XSS if
> an extension throws one of these with user input. - Avoid fatal error in
> profileinfo.php when not configured.
>     - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
>       transwiki import feature.
>     - Add a .htaccess to deleted images directory for additional protection
>       against exposure of deleted files with known SHA-1 hashes on default
>       installations.
>     - Fixed XSS vulnerability for Internet Explorer clients, via file
> uploads which are interpreted by IE as HTML.
>     - Fixed XSS vulnerability for clients with SVG scripting, on wikis
> where SVG uploads are enabled. Firefox 1.5+ is affected.
>     - Avoid streaming uploaded files to the user via index.php. This allows
>       security-conscious users to serve uploaded files via a different
> domain, and thus client-side scripts executed from that domain cannot
> access the login cookies. Affects Special:Undelete, img_auth.php and
> thumb.php. - When streaming files via index.php, use the MIME type detected
> from the file extension, not from the data. This reduces the XSS attack
> surface. - Blacklist redirects via Special:Filepath. Such redirects
> exacerbate any XSS vulnerabilities involving uploads of files containing
> scripts. Closes: #508869, #508870
>
>  -- Giuseppe Iuculano <giuseppe@iuculano.it>  Sun, 18 Jan 2009 11:54:02
> +0100
>
>
>
>
> Cheers,
> Giuseppe

Message #36 received at 508869-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 508869-close@bugs.debian.org

Subject: Bug#508869: fixed in mediawiki 1:1.12.0-2lenny2

Date: Sun, 25 Jan 2009 16:17:04 +0000

Source: mediawiki
Source-Version: 1:1.12.0-2lenny2

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki-math_1.12.0-2lenny2_amd64.deb
  to pool/main/m/mediawiki/mediawiki-math_1.12.0-2lenny2_amd64.deb
mediawiki_1.12.0-2lenny2.diff.gz
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.diff.gz
mediawiki_1.12.0-2lenny2.dsc
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2.dsc
mediawiki_1.12.0-2lenny2_all.deb
  to pool/main/m/mediawiki/mediawiki_1.12.0-2lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Jan 2009 11:54:02 +0100
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all amd64
Version: 1:1.12.0-2lenny2
Distribution: testing-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 508869 508870
Changes: 
 mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
 .
   * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
   * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
     - Fixed output escaping for reporting of non-MediaWiki exceptions.
       Potential XSS if an extension throws one of these with user input.
     - Avoid fatal error in profileinfo.php when not configured.
     - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
       transwiki import feature.
     - Add a .htaccess to deleted images directory for additional protection
       against exposure of deleted files with known SHA-1 hashes on default
       installations.
     - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
       which are interpreted by IE as HTML.
     - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
       uploads are enabled. Firefox 1.5+ is affected.
     - Avoid streaming uploaded files to the user via index.php. This allows
       security-conscious users to serve uploaded files via a different domain,
       and thus client-side scripts executed from that domain cannot access the
       login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
     - When streaming files via index.php, use the MIME type detected from the
       file extension, not from the data. This reduces the XSS attack surface.
     - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
       XSS vulnerabilities involving uploads of files containing scripts.
   Closes: #508869, #508870
Checksums-Sha1: 
 512bf6e8fca53d500bf05830f63f56c8d294f50c 1256 mediawiki_1.12.0-2lenny2.dsc
 e88ac10275b63597d0f458d410bacebfb4e4011c 44723 mediawiki_1.12.0-2lenny2.diff.gz
 001451c718bd81e0919f22629cb576c070cc84a7 7221734 mediawiki_1.12.0-2lenny2_all.deb
 1b548cb4268b1a40a6450d9eb2872a693defbd97 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb
Checksums-Sha256: 
 ebbb4e60c1a3e9a654497e8d4e52ebdbac798db2bc9bd6203a5f3cd5e7db52eb 1256 mediawiki_1.12.0-2lenny2.dsc
 ead873972b16a61e4ed3bf8a3f2a91322322b8ac0215ad5e1ba79e92690c4b9a 44723 mediawiki_1.12.0-2lenny2.diff.gz
 af01d0399306308938d8d3b02bc193d4544e56f92db5f60dec11b51c472a3211 7221734 mediawiki_1.12.0-2lenny2_all.deb
 6b833ad770dae6f5bd05fcfd3ad36d6aa721decae8b09a6a26fb4d42d07d305e 156542 mediawiki-math_1.12.0-2lenny2_amd64.deb
Files: 
 591bf4d91a70412b0d39eec68db0d54b 1256 web optional mediawiki_1.12.0-2lenny2.dsc
 e6458248327c0bba19c8424eae912d13 44723 web optional mediawiki_1.12.0-2lenny2.diff.gz
 b0870767c2a8e11928f1064eb17bef43 7221734 web optional mediawiki_1.12.0-2lenny2_all.deb
 6cbeb87e190429648e95cadb0fcc0b40 156542 web optional mediawiki-math_1.12.0-2lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl8UzwACgkQHYflSXNkfP/dKwCdHTXstaOGpEedqa836BfUxKFS
vFYAni3GafeEy8gPtsa/adkMir9yaKu1
=O3Hj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.