Detections
Analytics
MediaWiki 1.23.x < 1.23.14 / 1.25.x < 1.25.6 / 1.26.x < 1.26.3 Multiple Vulnerabilities
high Nessus Plugin ID 91856
Language:
Synopsis
An application running on the remote web server is affected by multiple vulnerabilities.Description
According to its version number, the MediaWiki application running on the remote web server is 1.23.x prior to 1.23.14, 1.25.x prior to 1.25.6, or 1.26.x prior to 1.26.3. It is, therefore, affected by the following vulnerabilities :- A flaw exists due to a failure to invalidate tokens from previous user sessions when starting a new session. An authenticated, remote attacker can exploit this to hijack another user's session.
- A security bypass vulnerability exists in the SpecialUserlogin.php script due to improper handling of non-canonical usernames. An unauthenticated, remote attacker can exploit this to bypass login throttling.
- A flaw exists due to a cross-domain policy regular expression (regexp) that is too narrow. An unauthenticated, remote attacker can exploit this to supply parameters within the tag and insert malicious data.
- A denial of service vulnerability exists in the wfShellExec() function in the GlobalFunctions.php script due to missing string length limits for shell invocations. An authenticated, remote attacker can exploit this, via overly large commands, to crash the server.
- A privilege escalation vulnerability exists in the RawAction.php script to improper management of sessions when handling cached data. An authenticated, remote attacker can exploit this to log in as another user and gain elevated privileges.
- A security bypass vulnerability exists due to improper handling of specially-crafted, spoofed patrol links. An authenticated, remote attacker can exploit this to bypass restrictions and patrol arbitrary pages.
- A flaw exists in the WebStart.php script due to insufficient checks against mbstring.func_overload. An unauthenticated, remote attacker can exploit this, using the predictable results, to conduct a brute-force attack.
- A flaw exists when handling specially crafted requests that involve graphs. An unauthenticated, remote attacker can exploit this to disclose an edit token, allowing the attacker to then conduct a cross-site request forgery (XSRF) attack.
- A denial of service vulnerability exists in the generateDiffBody() function in the DifferenceEngine.php script that allows an authenticated, remote attacker to cause multiple diffs to be concurrently loaded, resulting in a consumption of significant resources.
- A cross-site redirection vulnerability exists due to a failure to securely use $wgExternalLinkTarget in the DefaultSettings.php script. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to redirect a user to a malicious website.
- A security bypass vulnerability exists in the ApiMove::execute() function in the ApiMove.php script due to a failure to properly rate limit the 'move API action'. An unauthenticated, remote attacker can exploit this to bypass intended rate restrictions on movement operations.
- An authentication security bypass vulnerability exists in the MWOldPassword.php, MWSaltedPassword.php, and Pbkdf2Password.php scripts due to improper handling of unsupported hash algorithms. An unauthenticated, remote attacker can exploit this to bypass authentication mechanisms. Note that this vulnerability only affects versions 1.25.x and 1.26.x.
- A flaw exists in the SpecialUserlogin.php script due to throttling password attempts for wiki accounts on a per-wiki basis rather than globally. An unauthenticated, remote attacker can exploit this to easily conduct brute-force attacks. Note that this vulnerability only affects versions 1.23.x and 1.25.x.
- A flaw exists in the includes/DefaultSettings.php script due to the 'pdkdf2' parameter not being hashed in a more secure manner, which can result in password hashes being less secure. A remote attacker can exploit this, using brute-force methods, to disclose the passwords.
- A cross-site scripting (XSS) vulnerability exists in the includes/upload/UploadBase.php script within the UploadBase::checkSvgScriptCallback() function, when uploading SVG files, due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to MediaWiki version 1.23.14 / 1.25.6 / 1.26.3 or later.See Also
http://www.nessus.org/u?937cb355
https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.14
https://www.mediawiki.org/wiki/Release_notes/1.25#MediaWiki_1.25.6
https://www.mediawiki.org/wiki/Release_notes/1.26#MediaWiki_1.26.3
https://phabricator.wikimedia.org/T116030
Plugin Details
Severity: High
ID: 91856
File Name: mediawiki_1_26_3.nasl
Version: 1.11
Type: remote
Family: CGI abuses
Published: 6/27/2016
Updated: 6/5/2024
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Vulnerability Information
CPE: cpe:/a:mediawiki:mediawiki
Required KB Items: Settings/ParanoidReport, installed_sw/MediaWiki
Excluded KB Items: Settings/disable_cgi_scanning
Patch Publication Date: 5/20/2016
Vulnerability Publication Date: 5/18/2016