headers
Tim Starling | 7 Apr 2010 03:03
Picon

MediaWiki security update: 1.15.3 and 1.16.0beta2


This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.

MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

**********************************************************************
  1.15.3
**********************************************************************

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 7 Apr 2010 03:03
Picon

MediaWiki security update: 1.15.3 and 1.16.0beta2


This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.

MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

**********************************************************************
  1.15.3
**********************************************************************

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz
(Continue reading)

Permalink | Reply | 0 comments |

Gmane