[Pkg-mediawiki-devel] Bug#702305: mediawiki: API action 'unblock' returns a full user object

Jonathan Wiltshire jmw at debian.org
Mon Mar 4 22:37:41 UTC 2013

Package: mediawiki
Version: 1:1.19.3-2
Severity: grave
Tags: security upstream fixed-upstream
Justification: security; information disclosure including password hashes
Forwarded: https://bugzilla.wikimedia.org/show_bug.cgi?id=43518

The unblock API discloses full user details to anyone who has the right
to use it. This includes hashed passwords, amongst other things.

The problem is apparently introduced in r83855 and at this stage, I do not
believe it affects stable, though I would not be confident enough to be sure

sid/wheezy are easily fixed with the new upstream, which I am preparing.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mediawiki depends on:
ii  apache2                      2.2.22-12
ii  apache2-mpm-prefork [httpd]  2.2.22-12
ii  debconf [debconf-2.0]        1.5.49
pn  libjs-jquery                 <none>
ii  libjs-jquery-cookie          6-1
ii  libjs-jquery-form            6-1
ii  libjs-jquery-tipsy           6-1
ii  mime-support                 3.52-1
ii  php5                         5.4.4-13
ii  php5-mysql                   5.4.4-13
ii  php5-pgsql                   5.4.4-13

Versions of packages mediawiki recommends:
ii  mediawiki-extensions-base  2.11
ii  mysql-server               5.5.28+dfsg-1
ii  php-wikidiff2              0.0.1+svn109581-1
ii  php5-cli                   5.4.4-13
ii  python                     2.7.3-4

Versions of packages mediawiki suggests:
ii  clamav          0.97.6+dfsg-1
ii  imagemagick     8:
pn  mediawiki-math  <none>
pn  memcached       <none>
ii  php5-gd         5.4.4-13

-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]

-- debconf information excluded

More information about the Pkg-mediawiki-devel mailing list