On 18 Dec 2014, at 06:44, Brian Wolff bawo...@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to exploit
Not entirely. Unlike message copyright, the message used on thumb.php
(badtitletext) is not a raw html message. It is meant to be parsed and
displayed regularly. And always was. Except it was re-used for thumb.php,
and
forgotten to be parsed there. I won't go into details, but it's
On 18 Dec 2014, at 09:01, Brian Wolff bawo...@gmail.com wrote:
I don't disagree that its a bug, but in order to exploit user would have to:
*Convince user to go rather obscure thumb.php page
*already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil
Hello everyone,
I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and
1.19.23. This is a regular security and maintenance release. Download links are
given at the end of this email. Please note this release marks the end of
lifetime for MediaWiki 1.22 branch.
==
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to exploit this.
Really? That's stretching the definition of a security bug.
On Thu, 18 Dec 2014 07:44:59 +0100, Brian Wolff bawo...@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw
HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to