Fedora 9 : mediawiki-1.13.3-42.fc9 (2008-11802)

medium Nessus Plugin ID 35267

Synopsis

The remote Fedora host is missing a security update.

Description

This is a security release of MediaWiki 1.13.3. Some of the security issues affect *all* versions of MediaWiki except the versions released on Dec. 15th, so all site administrators are encouraged to upgrade.
CVEs assigned to the mentioned MediaWiki update: CVE-2008-5249 Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1.13.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2008-5250 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. CVE-2008-5252 Cross-site request forgery (CSRF) vulnerability in the Special:Import feature in MediaWiki 1.3.0 through 1.6.10, 1.12.x before 1.12.2, and 1.13.x before 1.13.3 allows remote attackers to perform unspecified actions as authenticated users via unknown vectors. As well as other two issue mentioned in the upstream announcement, treated as security enhancement rather than vulnerability fixes by upstream: CVE-2008-5687 MediaWiki 1.11 through 1.13.3 does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/. CVE-2008-5688 MediaWiki 1.8.1 through 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected mediawiki package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=476621

http://www.nessus.org/u?baf0e4c6

Plugin Details

Severity: Medium

ID: 35267

File Name: fedora_2008-11802.nasl

Version: 1.17

Type: local

Agent: unix

Published: 12/26/2008

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:mediawiki, cpe:/o:fedoraproject:fedora:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/24/2008

Reference Information

CVE: CVE-2008-5249, CVE-2008-5250, CVE-2008-5252, CVE-2008-5687, CVE-2008-5688

BID: 32844

CWE: 200, 264, 352, 79

FEDORA: 2008-11802