[Secure-testing-team] Bug#702305: mediawiki: API action 'unblock' returns a full user object
Jonathan Wiltshire
jmw at debian.org
Mon Mar 4 22:37:41 UTC 2013
Package: mediawiki
Version: 1:1.19.3-2
Severity: grave
Tags: security upstream fixed-upstream
Justification: security; information disclosure including password hashes
Forwarded: https://bugzilla.wikimedia.org/show_bug.cgi?id=43518
The unblock API discloses full user details to anyone who has the right
to use it. This includes hashed passwords, amongst other things.
The problem is apparently introduced in r83855 and at this stage, I do not
believe it affects stable, though I would not be confident enough to be sure
yet.
sid/wheezy are easily fixed with the new upstream, which I am preparing.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mediawiki depends on:
ii apache2 2.2.22-12
ii apache2-mpm-prefork [httpd] 2.2.22-12
ii debconf [debconf-2.0] 1.5.49
pn libjs-jquery <none>
ii libjs-jquery-cookie 6-1
ii libjs-jquery-form 6-1
ii libjs-jquery-tipsy 6-1
ii mime-support 3.52-1
ii php5 5.4.4-13
ii php5-mysql 5.4.4-13
ii php5-pgsql 5.4.4-13
Versions of packages mediawiki recommends:
ii mediawiki-extensions-base 2.11
ii mysql-server 5.5.28+dfsg-1
ii php-wikidiff2 0.0.1+svn109581-1
ii php5-cli 5.4.4-13
ii python 2.7.3-4
Versions of packages mediawiki suggests:
ii clamav 0.97.6+dfsg-1
ii imagemagick 8:6.7.7.10-5
pn mediawiki-math <none>
pn memcached <none>
ii php5-gd 5.4.4-13
-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]
-- debconf information excluded
More information about the Secure-testing-team
mailing list