headers
Brion Vibber | 4 Feb 2005 08:58
Picon

MediaWiki 1.3.10 released (SECURITY)


MediaWiki 1.3.10 is a security release.

In earlier 1.3.x releases an attacker could craft a URL which, when
visited by a particular logged-in user, would execute arbitrary
JavaScript code on the user's browser in the wiki's site context. This
attack has been blocked, and as an extra precaution the user CSS and
JavaScript subpage support is now disabled by default. Sites which want
this ability may set $wgAllowUserCss and $wgAllowUserJs in
LocalSettings.php.

Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.

All wikis running 1.3.x are strongly urged to upgrade to 1.3.10.

=== Changes from 1.3.9 ===

* Logged-in edits and preview of user CSS/JS are now locked to a
session token.

* Per-user CSS and JavaScript subpage customizations now disabled by
default. They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.

* Removed .ogg from the default uploads whitelist as an extra
precaution. If your web server is configured to serve Ogg files with the
correct Content-Type header, you can re-add it in LocalSettings.php:
~  $wgFileExtensions[] = 'ogg';
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 4 Feb 2005 08:58
Picon

MediaWiki 1.4beta6 released (SECURITY)


MediaWiki 1.4beta6 is a security and bug fix release for the 1.4 beta
series.

In previous 1.4beta and 1.3.x releases an attacker could craft a URL
which, when visited by a particular logged-in user, would execute
arbitrary JavaScript code on the user's browser in the wiki's site
context. This attack has been blocked, and as an extra precaution the
user CSS and JavaScript subpage support is now disabled by default.
Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs
in LocalSettings.php.

Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.

1.3.x users not using the 1.4 beta should upgrade to 1.3.10.

Note that 1.4 beta releases prior to beta 5 include an input validation
error which could lead to execution of arbitrary PHP code on the server.
Users of older betas should upgrade immediately to the current version.

Beta 6 also introduces the use of rel="nofollow" attributes on external
links in wiki pages to reduce the effectiveness of wiki spam. This will
cause participating search engines to ignore external URL links from
wiki pages for purposes of page relevancy ranking.

The current implementation adds this attribute to _all_ external URL
links in wiki text (but not internal [[wiki links]] or interwiki links).
To disable the attribute for _all_ external links, add this line to your
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 21 Feb 2005 07:38
Picon
Favicon
Gravatar

MediaWiki 1.3.11 released [SECURITY]


MediaWiki 1.3.11 is a security release.

== Important security updates ==

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.

=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
~  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.

=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 21 Feb 2005 07:38
Picon
Favicon
Gravatar

MediaWiki 1.4rc1 released [SECURITY]


MediaWiki 1.4rc1 is a security and bug fix release for the 1.4 beta
series.

== Important security updates ==

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.

=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
~  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.

=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane