[Pkg-mediawiki-devel] Bug#406238: SA23647: mediawiki: AJAX
Unspecified Cross-Site Scripting
Alex de Oliveira Silva
enerv at host.sk
Tue Jan 9 19:15:08 CET 2007
Package: mediawiki
Version: 1:1.7
Severity: important
Tags: security
I don't know if mediawiki is vunerable with this bug.
A vulnerability has been reported in MediaWiki, which can be exploited by malicious people
to conduct cross-site scripting attacks.
Input passed to an unspecified parameter is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Successful exploitation requires that $wgUseAjax is set to true, which is not its default setting.
The vulnerability is reported in the 1.6.x branch before 1.6.9, the 1.7.x branch before 1.7.2,
and the 1.8.x branch before 1.8.3.
Solution:
Update to version 1.6.9, 1.7.2 or 1.8.3.
Thanks in advanced.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
regards,
--
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
More information about the Pkg-mediawiki-devel
mailing list