On Tue, Mar 31, 2015 at 6:20 PM, Chris Steipp <cste...@wikimedia.org> wrote: > I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and > 1.19.24. These releases fix 10 security issues, in addition to other bug > fixes. Download links are given at the end of this email. > > > == Security fixes == > > * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for > embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed > JavaScript in the SVG. The issue was additionally identified by Mario > Heiderich / Cure53. MIME types are now whitelisted. > <https://phabricator.wikimedia.org/T85850> > > * MediaWiki user Bawolff pointed out that the SVG filter to prevent > injecting JavaScript using animate elements was incorrect. > <https://phabricator.wikimedia.org/T86711> > > * MediaWiki user Bawolff reported a stored XSS vulnerability due to the way > attributes were expanded in MediaWiki's Html class, in combination with > LanguageConverter substitutions. > <https://phabricator.wikimedia.org/T73394> > > * Internal review discovered that MediaWiki's SVG filtering could be > bypassed with entity encoding under the Zend interpreter. This could be > used to inject JavaScript. This issue was also discovered by Mario Gomes > from Beyond Security. > <https://phabricator.wikimedia.org/T88310> > > * iSEC Partners discovered a XSS vulnerability in the way api errors were > reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). > MediaWiki now detects and mitigates this issue on older versions of HHVM. > <https://phabricator.wikimedia.org/T85851> > > * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that > MediaWiki versions using PBKDF2 for password hashing (the default since > 1.24) are vulnerable to DoS attacks using extremely long passwords. > <https://phabricator.wikimedia.org/T64685> > > * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running > under HHVM, was susceptible to "Billion Laughs" DoS attacks > (iSEC-WMF1214-13). > <https://phabricator.wikimedia.org/T85848> > > * Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" > DoS attacks, under both HHVM and Zend PHP. > <https://phabricator.wikimedia.org/T71210> > > * iSEC Partners discovered a way to bypass the style filtering for SVG > files (iSEC-WMF1214-3). This could violate the anonymity of users viewing > the SVG. > <https://phabricator.wikimedia.org/T85349> > > * iSEC Partners reported that the MediaWiki feature allowing a user to > preview another user's custom JavaScript could be abused for privilege > escalation (iSEC-WMF1214-10). This feature has been removed. > <https://phabricator.wikimedia.org/T85855> > > > Additionally, the following extensions have been updated to fix security > issues: > > * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function > names were not sanitized in Lua error backtraces, which could lead to XSS. > <https://phabricator.wikimedia.org/T85113> > > * Extension:CheckUser - iSEC Partners discovered that the CheckUser > extension did not prevent CSRF attacks on the form allowing checkusers to > look up sensitive information about other users (iSEC-WMF1214-6). Since the > use of CheckUser is logged, the CSRF could be abused to defame a trusted > user or flood the logs with noise. > <https://phabricator.wikimedia.org/T85858> > [..]
Sounds like MediaWiki came through the security audit better than I expected. The most serious issue they found seems to be the js preview one (imho. I'm assuming you can't really do much with the svg exploits beyond phishing since they live in upload.wikimedia.org and only have access to the geoip cookies). So congratulations all! --bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
