[Pkg-mediawiki-devel] [MediaWiki-announce] Multiple security vulnerabilties in MediaWiki extensions
Tim Starling
tstarling at wikimedia.org
Sat Jun 14 10:37:45 UTC 2008
The following extensions had cross-site scripting (XSS) vulnerabilities:
* geo
* MetavidWiki
* wikihiero
These vulnerabilities are exploitable even if the extensions are
disabled. If you have any of these extensions installed, please update
them immediately.
Many shared hosting services have the php.ini setting "register_globals"
enabled, despite the fact that it is known to be detrimental to security.
A new automated vulnerability scanner has found a large number of
security vulnerabilities in MediaWiki extensions, when register_globals
is enabled. Unless you are sure you have register_globals disabled, the
following extensions should be immediately updated:
Cross-site scripting vulnerabilities:
* Call
* ChangeAuthor
* EditOwn
* SignDocument
* TemplateLink
* WatchSubpages
* WhoIsWatching
* php/ext/MediaWiki
Arbitrary script inclusion vulnerabilities:
* CategoryIntersection
* Makebot
* PasswordReset
* regexBlock
* SemanticCalendar
* SemanticForms
* SemanticMediaWiki
* SocialProfile
* SpamRegex
* StalePages
* TodoTasks
* WhiteList
* Wikidata
All these extensions are vulnerable regardless of whether they are
enabled in LocalSettings.php. They only need to be installed, with their
installation directory accessible from the public internet.
Downloads in .tar.gz form for all these MediaWiki extensions are
available from:
http://www.mediawiki.org/wiki/Special:ExtensionDistributor
Or using a subversion client from:
http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions
-- Tim Starling
_______________________________________________
MediaWiki-announce mailing list
MediaWiki-announce at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
More information about the Pkg-mediawiki-devel
mailing list