[Pkg-mediawiki-commits] r278 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sat Dec 17 23:33:56 UTC 2011 

Author: jmw
Date: 2011-12-17 23:33:56 +0000 (Sat, 17 Dec 2011)
New Revision: 278

Added:
   mediawiki/lenny/debian/patches/CVE-2011-1578.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
CVE-2011-1578 - XSS for IE <= 6

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2011-12-17 23:23:51 UTC (rev 277)
+++ mediawiki/lenny/debian/changelog	2011-12-17 23:33:56 UTC (rev 278)
@@ -5,8 +5,9 @@
     bypassing different page ids to index.php
     CVE-2011-4361 - action=ajax requests were dispatched to the
     relevant function without any read permission checks being done
+    CVE-2011-1578 - XSS for IE <= 6
 
- -- Jonathan Wiltshire <jmw at debian.org>  Thu, 01 Dec 2011 12:37:28 +0000
+ -- Jonathan Wiltshire <jmw at debian.org>  Sat, 17 Dec 2011 23:32:21 +0000
 
 mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
 

Added: mediawiki/lenny/debian/patches/CVE-2011-1578.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-1578.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-1578.patch	2011-12-17 23:33:56 UTC (rev 278)
@@ -0,0 +1,134 @@
+Description: cross-site scripting problem in IE <= 6 clients
+ Due to the diversity of uploaded files that we allow, MediaWiki does
+ not guarantee that uploaded files will be safe if they are interpreted
+ by the client as some arbitrary file type, such as HTML. We rely on
+ the web server to send the correct Content-Type header, and we rely on
+ the web browser to respect it. This XSS issue arises due to IE 6
+ looking for a file extension in the query string of the URL (i.e.
+ after the "?"), if no extension is found in path part of the URL.
+ Masato Kinugawa discovered that the file extension in the path part
+ can be hidden from IE 6 by substituting the "." with "%2E".
+Origin: upstream,r85844/r85849
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235
+Last-Update: 2011-12-17
+
+--- /dev/null
++++ mediawiki-1.15.5/images/.htaccess
+@@ -0,0 +1,6 @@
++# Protect against bug 28235
++<IfModule rewrite_module>
++	RewriteEngine On
++	RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++	RewriteRule . - [forbidden]
++</IfModule>
+--- mediawiki-1.15.5.orig/img_auth.php
++++ mediawiki-1.15.5/img_auth.php
+@@ -25,6 +25,13 @@
+ 	wfPublicError();
+ }
+ 
++// Check for bug 28235: QUERY_STRING overriding the correct extension
++if ( isset( $_SERVER['QUERY_STRING'] )
++	&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++{
++	wfForbidden();
++}
++
+ // Extract path and image information
+ if( !isset( $_SERVER['PATH_INFO'] ) ) {
+ 	wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
+--- mediawiki-1.15.5.orig/includes/RawPage.php
++++ mediawiki-1.15.5/includes/RawPage.php
+@@ -109,7 +109,7 @@
+ 	}
+ 
+ 	function view() {
+-		global $wgOut, $wgScript;
++		global $wgOut, $wgScript, $wgRequest;
+ 
+ 		if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ 			# Normally we use PHP_SELF to get the URL to the script
+@@ -136,7 +136,7 @@
+ 			return;
+ 		}
+ 
+-		if( strcmp( $wgScript, $url ) ) {
++		if( $wgRequest->isPathInfoBad() ) {
+ 			# Internet Explorer will ignore the Content-Type header if it
+ 			# thinks it sees a file extension it recognizes. Make sure that
+ 			# all raw requests are done through the script node, which will
+@@ -150,6 +150,7 @@
+ 			#
+ 			# Just return a 403 Forbidden and get it over with.
+ 			wfHttpError( 403, 'Forbidden',
++				'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
+ 				'Raw pages must be accessed through the primary script entry point.' );
+ 			return;
+ 		}
+--- mediawiki-1.15.5.orig/includes/WebRequest.php
++++ mediawiki-1.15.5/includes/WebRequest.php
+@@ -662,6 +662,50 @@
+ 	function setSessionData( $key, $data ) {
+ 		$_SESSION[$key] = $data;
+ 	}
++
++	/**
++	 * Returns true if the PATH_INFO ends with an extension other than a script
++	 * extension. This could confuse IE for scripts that send arbitrary data which
++	 * is not HTML but may be detected as such.
++	 *
++	 * Various past attempts to use the URL to make this check have generally
++	 * run up against the fact that CGI does not provide a standard method to
++	 * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
++	 * but only by prefixing it with the script name and maybe some other stuff,
++	 * the extension is not mangled. So this should be a reasonably portable
++	 * way to perform this security check.
++	 *
++	 * Also checks for anything that looks like a file extension at the end of
++	 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
++	 * if there was no dot before the question mark (bug 28235).
++	 */
++	public function isPathInfoBad() {
++		global $wgScriptExtension;
++
++		if ( isset( $_SERVER['QUERY_STRING'] )
++			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++		{
++			// Bug 28235
++			// Block only Internet Explorer, and requests with missing UA
++			// headers that could be IE users behind a privacy proxy.
++			if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
++				|| preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
++			{
++				return true;
++			}
++		}
++
++		if ( !isset( $_SERVER['PATH_INFO'] ) ) {
++			return false;
++		}
++		$pi = $_SERVER['PATH_INFO'];
++		$dotPos = strrpos( $pi, '.' );
++		if ( $dotPos === false ) {
++			return false;
++		}
++		$ext = substr( $pi, $dotPos );
++		return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) );
++	}
+ }
+ 
+ /**
+--- mediawiki-1.15.5.orig/api.php
++++ mediawiki-1.15.5/api.php
+@@ -56,9 +56,9 @@
+ } else {
+ 	$url = $_SERVER['PHP_SELF'];
+ }
+-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
++if ( $wgRequest->isPathInfoBad() ) {
+ 	wfHttpError( 403, 'Forbidden',
+-		'API must be accessed through the primary script entry point.' );
++		'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
+ 	return;
+ }
+ 

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2011-12-17 23:23:51 UTC (rev 277)
+++ mediawiki/lenny/debian/patches/series	2011-12-17 23:33:56 UTC (rev 278)
@@ -13,5 +13,6 @@
 1.15.5-profileinfo-security.patch
 CVE-2011-0003.patch
 CVE-2011-0047.patch
+CVE-2011-1578.patch
 CVE-2011-4360.patch
 CVE-2011-4361.patch

More information about the Pkg-mediawiki-commits mailing list