Vulnerabilities > CVE-2013-4567 - Unspecified vulnerability in Mediawiki
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN mediawiki
nessus
Summary
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.
Vulnerable Configurations
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-290.NASL description Updated mediawiki packages fix security vulnerabilities : Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-06-01 modified 2020-06-02 plugin id 71510 published 2013-12-18 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71510 title Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:290) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2013:290. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(71510); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"MDVSA", value:"2013:290"); script_name(english:"Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:290)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mediawiki packages fix security vulnerabilities : Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572)." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2013-0368.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-mysql-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-pgsql-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-sqlite-1.20.8-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-21856.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-02 plugin id 71149 published 2013-12-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71149 title Fedora 19 : mediawiki-1.21.3-1.fc19 (2013-21856) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-21856. # include("compat.inc"); if (description) { script_id(71149); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-21856"); script_name(english:"Fedora 19 : mediawiki-1.21.3-1.fc19 (2013-21856)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?25def639" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"mediawiki-1.21.3-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }NASL family CGI abuses NASL id MEDIAWIKI_1_19_9.NASL description According to its version number, the instance of MediaWiki running on the remote host is affected by the following vulnerabilities : - Input validation errors exist that allow cross-site scripting attacks. (CVE-2013-4567, CVE-2013-4568) - An error exists related to session IDs and HTTP headers that allows an information disclosure. (CVE-2013-4572) Additionally, the following extensions contain vulnerabilities but are not enabled or installed by default (unless otherwise noted) : - An input validation error exists related to the last seen 2020-06-01 modified 2020-06-02 plugin id 71500 published 2013-12-17 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71500 title MediaWiki < 1.19.9 / 1.20.8 / 1.21.3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71500); script_version("1.9"); script_cvs_date("Date: 2018/11/28 22:47:41"); script_cve_id( "CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572", "CVE-2013-4573" ); script_bugtraq_id(63755, 63756, 63757, 63759, 63760, 63761); script_name(english:"MediaWiki < 1.19.9 / 1.20.8 / 1.21.3 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MediaWiki."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the instance of MediaWiki running on the remote host is affected by the following vulnerabilities : - Input validation errors exist that allow cross-site scripting attacks. (CVE-2013-4567, CVE-2013-4568) - An error exists related to session IDs and HTTP headers that allows an information disclosure. (CVE-2013-4572) Additionally, the following extensions contain vulnerabilities but are not enabled or installed by default (unless otherwise noted) : - An input validation error exists related to the 'CentralAuth' extension that allows cross-site request forgery (CSRF) attacks. (CVE-2012-5394) - An error exists in the 'CleanChanges' extension that allows an information disclosure related to 'revision-deleted' IP addresses. (CVE-2013-4569) - An input validation error exists in the 'ZeroRatedMobileAccess' extension that allows cross-site scripting attacks. (CVE-2013-4573) Note that Nessus has not tested for these issues but has instead relied on the application's self-reported version number."); # https://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9d8f458"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.9"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.8"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.21#MediaWiki_1.21.3"); script_set_attribute(attribute:"solution", value: "Upgrade to MediaWiki version 1.19.9 / 1.20.8 / 1.21.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/03"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/17"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mediawiki_detect.nasl"); script_require_keys("Settings/ParanoidReport", "installed_sw/MediaWiki", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MediaWiki"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); version = install['version']; install_url = build_url(qs:install['path'], port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^1\.19\.[0-8]([^0-9]|$)" || version =~ "^1\.20\.[0-7]([^0-9]|$)" || version =~ "^1\.21\.[0-2]([^0-9]|$)" ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed versions : 1.19.9 / 1.20.8 / 1.21.3' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Fedora Local Security Checks NASL id FEDORA_2013-21874.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-02 plugin id 71150 published 2013-12-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71150 title Fedora 18 : mediawiki-1.19.9-1.fc18 (2013-21874) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-21874. # include("compat.inc"); if (description) { script_id(71150); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-21874"); script_name(english:"Fedora 18 : mediawiki-1.19.9-1.fc18 (2013-21874)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ea04af0" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"mediawiki-1.19.9-1.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2891.NASL description The remote Debian host is missing a security update. It is, therefore, affected by multiple vulnerabilities in MediaWiki : - A cross-site scripting (XSS) vulnerability exists due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via specially crafted SVG files, to execute arbitrary script code in the user last seen 2020-03-17 modified 2014-03-31 plugin id 73256 published 2014-03-31 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73256 title Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were # extracted from Debian Security Advisory DSA-2891 # include("compat.inc"); if (description) { script_id(73256); script_version("1.15"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id( "CVE-2013-2031", "CVE-2013-2032", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2665" ); script_bugtraq_id( 59594, 59595, 63757, 63760, 63761, 65003, 65223, 66600 ); script_xref(name:"DSA", value:"2891"); script_name(english:"Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities"); script_summary(english:"Checks the dpkg output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote Debian host is missing a security-related update."); script_set_attribute(attribute:"description", value: "The remote Debian host is missing a security update. It is, therefore, affected by multiple vulnerabilities in MediaWiki : - A cross-site scripting (XSS) vulnerability exists due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via specially crafted SVG files, to execute arbitrary script code in the user's browser session. (CVE-2013-2031) - A flaw exists in the password blocking mechanism due to two different tools being used to block password change requests, these being Special:PasswordReset and Special:ChangePassword, either of which may be bypassed by the method the other prevents. A remote attacker can exploit this issue to change passwords. (CVE-2013-2032) - Multiple flaws exist in Sanitizer::checkCss due to the improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit these to bypass the blacklist. (CVE-2013-4567, CVE-2013-4568) - A flaw exists due to multiple users being granted the same session ID within HTTP headers. A remote attacker can exploit this to authenticate as another random user. (CVE-2013-4572) - A cross-site scripting (XSS) vulnerability exists in the /includes/libs/XmlTypeCheck.php script due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted XSL file, to execute arbitrary script code in the user's browser session. (CVE-2013-6452) - A flaw exists in the /includes/upload/UploadBase.php script due to a failure to apply SVG sanitization when XML files are read as invalid. An unauthenticated, remote attacker can exploit this to upload non-sanitized XML files, resulting in an unspecified impact. (CVE-2013-6453) - A stored cross-site (XSS) scripting vulnerability exists in the /includes/Sanitizer.php script due to a failure to properly validate the '-o-link' attribute before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2013-6454) - A flaw exists in the log API within the /includes/api/ApiQueryLogEvents.php script that allows an unauthenticated, remote attacker to disclose potentially sensitive information regarding deleted pages. (CVE-2013-6472) - Multiple flaws exist in the PdfHandler_body.php, DjVu.php, Bitmap.php, and ImageHandler.php scripts when DjVu or PDF file upload support is enabled due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit these, via the use of shell metacharacters, to execute execute arbitrary shell commands. (CVE-2014-1610) - A cross-site request forgery (XSRF) vulnerability exists in the includes/specials/SpecialChangePassword.php script due to a failure to properly handle a correctly authenticated but unintended login attempt. An unauthenticated, remote attacker, by convincing a user to follow a specially crafted link, can exploit this to reset the user's password. (CVE-2014-2665)"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706601"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2031"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2032"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4567"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4568"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4572"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6452"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6453"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6454"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6472"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-1610"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2665"); script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/wheezy/mediawiki"); script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/wheezy/mediawiki-extensions"); script_set_attribute(attribute:"see_also", value:"http://www.debian.org/security/2014/dsa-2891"); script_set_attribute(attribute:"solution", value: "Upgrade the mediawiki packages. For the stable distribution (wheezy), these issues have been fixed in version 1:1.19.14+dfsg-0+deb7u1 of the mediawiki package and version 3.5~deb7u1 of the mediawiki-extensions package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"MediaWiki thumb.php page Parameter Remote Shell Command Injection"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MediaWiki Thumb.php Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/30"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mediawiki-extensions"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Debian Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); include("misc_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item("Host/Debian/release"); if (empty_or_null(oslevel)) audit(AUDIT_OS_NOT, "Debian"); if (oslevel !~ "^7\.") audit(AUDIT_OS_NOT, "Debian 7", "Debian " + oslevel); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"mediawiki", reference:"1:1.19.14+dfsg-0+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-base", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-collection", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-geshi", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-graphviz", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-ldapauth", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-openid", reference:"3.5~deb7u1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, xss : TRUE, xsrf : TRUE, extra : deb_report_get() ); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-22047.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-14 plugin id 71407 published 2013-12-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71407 title Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-22047. # include("compat.inc"); if (description) { script_id(71407); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-22047"); script_name(english:"Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123834.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bb6debb6" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"mediawiki-1.21.3-1.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
- http://secunia.com/advisories/57472
- http://secunia.com/advisories/57472
- http://www.debian.org/security/2014/dsa-2891
- http://www.debian.org/security/2014/dsa-2891
- http://www.securityfocus.com/bid/63760
- http://www.securityfocus.com/bid/63760
- https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
- https://bugzilla.wikimedia.org/show_bug.cgi?id=55332