SB2017040706 - Arch Linux update for mediawiki

Security Bulletin ID SB2017040706

Severity

High

Patch available

YES

Number of vulnerabilities 11

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-0361)

The vulnerability allows a local authenticated user to execute arbitrary code.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.

2) Cross-site request forgery (CVE-ID: CVE-2017-0362)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

3) Open redirect (CVE-ID: CVE-2017-0363)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites.

4) Open redirect (CVE-ID: CVE-2017-0364)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.

5) Cross-site scripting (CVE-ID: CVE-2017-0365)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.

6) Input validation error (CVE-ID: CVE-2017-0366)

The vulnerability allows a remote authenticated user to read and manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to evade SVG filter using default attribute values in DTD declaration.

7) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2017-0367)

The vulnerability allows a remote authenticated user to execute arbitrary code.

Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.

8) Input validation error (CVE-ID: CVE-2017-0368)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawHTML mode apply to system messages.

9) Incorrect default permissions (CVE-ID: CVE-2017-0369)

The vulnerability allows a remote authenticated user to manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it.

10) Input validation error (CVE-ID: CVE-2017-0370)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam blacklist is ineffective on encoded URLs inside file inclusion syntax's link parameter.

11) Stored cross-site scripting (CVE-ID: CVE-2017-0372)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the SyntaxHighlight_GeSHi extension. A remote attacker can create a specially crafted page with XSS exploit, trick the victim to visit it and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

https://security.archlinux.org/advisory/ASA-201704-3