Vulnerabilities > CVE-2013-4572 - Session Fixation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Session Credential Falsification through Forging An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
- Exploitation of Session Variables, Resource IDs and other Trusted Credentials Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
- Accessing/Intercepting/Modifying HTTP Cookies This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
- Manipulating Opaque Client-based Data Tokens In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-290.NASL description Updated mediawiki packages fix security vulnerabilities : Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-06-01 modified 2020-06-02 plugin id 71510 published 2013-12-18 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71510 title Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:290) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2013:290. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(71510); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"MDVSA", value:"2013:290"); script_name(english:"Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:290)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mediawiki packages fix security vulnerabilities : Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572)." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2013-0368.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-mysql-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-pgsql-1.20.8-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-sqlite-1.20.8-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-21856.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-02 plugin id 71149 published 2013-12-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71149 title Fedora 19 : mediawiki-1.21.3-1.fc19 (2013-21856) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-21856. # include("compat.inc"); if (description) { script_id(71149); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-21856"); script_name(english:"Fedora 19 : mediawiki-1.21.3-1.fc19 (2013-21856)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?25def639" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"mediawiki-1.21.3-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }NASL family CGI abuses NASL id MEDIAWIKI_1_19_9.NASL description According to its version number, the instance of MediaWiki running on the remote host is affected by the following vulnerabilities : - Input validation errors exist that allow cross-site scripting attacks. (CVE-2013-4567, CVE-2013-4568) - An error exists related to session IDs and HTTP headers that allows an information disclosure. (CVE-2013-4572) Additionally, the following extensions contain vulnerabilities but are not enabled or installed by default (unless otherwise noted) : - An input validation error exists related to the last seen 2020-06-01 modified 2020-06-02 plugin id 71500 published 2013-12-17 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71500 title MediaWiki < 1.19.9 / 1.20.8 / 1.21.3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(71500); script_version("1.9"); script_cvs_date("Date: 2018/11/28 22:47:41"); script_cve_id( "CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572", "CVE-2013-4573" ); script_bugtraq_id(63755, 63756, 63757, 63759, 63760, 63761); script_name(english:"MediaWiki < 1.19.9 / 1.20.8 / 1.21.3 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MediaWiki."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the instance of MediaWiki running on the remote host is affected by the following vulnerabilities : - Input validation errors exist that allow cross-site scripting attacks. (CVE-2013-4567, CVE-2013-4568) - An error exists related to session IDs and HTTP headers that allows an information disclosure. (CVE-2013-4572) Additionally, the following extensions contain vulnerabilities but are not enabled or installed by default (unless otherwise noted) : - An input validation error exists related to the 'CentralAuth' extension that allows cross-site request forgery (CSRF) attacks. (CVE-2012-5394) - An error exists in the 'CleanChanges' extension that allows an information disclosure related to 'revision-deleted' IP addresses. (CVE-2013-4569) - An input validation error exists in the 'ZeroRatedMobileAccess' extension that allows cross-site scripting attacks. (CVE-2013-4573) Note that Nessus has not tested for these issues but has instead relied on the application's self-reported version number."); # https://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9d8f458"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.9"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.8"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.21#MediaWiki_1.21.3"); script_set_attribute(attribute:"solution", value: "Upgrade to MediaWiki version 1.19.9 / 1.20.8 / 1.21.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/03"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/17"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mediawiki_detect.nasl"); script_require_keys("Settings/ParanoidReport", "installed_sw/MediaWiki", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MediaWiki"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); version = install['version']; install_url = build_url(qs:install['path'], port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^1\.19\.[0-8]([^0-9]|$)" || version =~ "^1\.20\.[0-7]([^0-9]|$)" || version =~ "^1\.21\.[0-2]([^0-9]|$)" ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed versions : 1.19.9 / 1.20.8 / 1.21.3' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Fedora Local Security Checks NASL id FEDORA_2013-21874.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-02 plugin id 71150 published 2013-12-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71150 title Fedora 18 : mediawiki-1.19.9-1.fc18 (2013-21874) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-21874. # include("compat.inc"); if (description) { script_id(71150); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-5394", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4569", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-21874"); script_name(english:"Fedora 18 : mediawiki-1.19.9-1.fc18 (2013-21874)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ea04af0" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"mediawiki-1.19.9-1.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2891.NASL description The remote Debian host is missing a security update. It is, therefore, affected by multiple vulnerabilities in MediaWiki : - A cross-site scripting (XSS) vulnerability exists due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via specially crafted SVG files, to execute arbitrary script code in the user last seen 2020-03-17 modified 2014-03-31 plugin id 73256 published 2014-03-31 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73256 title Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were # extracted from Debian Security Advisory DSA-2891 # include("compat.inc"); if (description) { script_id(73256); script_version("1.15"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id( "CVE-2013-2031", "CVE-2013-2032", "CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2665" ); script_bugtraq_id( 59594, 59595, 63757, 63760, 63761, 65003, 65223, 66600 ); script_xref(name:"DSA", value:"2891"); script_name(english:"Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities"); script_summary(english:"Checks the dpkg output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote Debian host is missing a security-related update."); script_set_attribute(attribute:"description", value: "The remote Debian host is missing a security update. It is, therefore, affected by multiple vulnerabilities in MediaWiki : - A cross-site scripting (XSS) vulnerability exists due to a failure to validate input before returning it to the user. An unauthenticated, remote attacker can exploit this, via specially crafted SVG files, to execute arbitrary script code in the user's browser session. (CVE-2013-2031) - A flaw exists in the password blocking mechanism due to two different tools being used to block password change requests, these being Special:PasswordReset and Special:ChangePassword, either of which may be bypassed by the method the other prevents. A remote attacker can exploit this issue to change passwords. (CVE-2013-2032) - Multiple flaws exist in Sanitizer::checkCss due to the improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit these to bypass the blacklist. (CVE-2013-4567, CVE-2013-4568) - A flaw exists due to multiple users being granted the same session ID within HTTP headers. A remote attacker can exploit this to authenticate as another random user. (CVE-2013-4572) - A cross-site scripting (XSS) vulnerability exists in the /includes/libs/XmlTypeCheck.php script due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted XSL file, to execute arbitrary script code in the user's browser session. (CVE-2013-6452) - A flaw exists in the /includes/upload/UploadBase.php script due to a failure to apply SVG sanitization when XML files are read as invalid. An unauthenticated, remote attacker can exploit this to upload non-sanitized XML files, resulting in an unspecified impact. (CVE-2013-6453) - A stored cross-site (XSS) scripting vulnerability exists in the /includes/Sanitizer.php script due to a failure to properly validate the '-o-link' attribute before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2013-6454) - A flaw exists in the log API within the /includes/api/ApiQueryLogEvents.php script that allows an unauthenticated, remote attacker to disclose potentially sensitive information regarding deleted pages. (CVE-2013-6472) - Multiple flaws exist in the PdfHandler_body.php, DjVu.php, Bitmap.php, and ImageHandler.php scripts when DjVu or PDF file upload support is enabled due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit these, via the use of shell metacharacters, to execute execute arbitrary shell commands. (CVE-2014-1610) - A cross-site request forgery (XSRF) vulnerability exists in the includes/specials/SpecialChangePassword.php script due to a failure to properly handle a correctly authenticated but unintended login attempt. An unauthenticated, remote attacker, by convincing a user to follow a specially crafted link, can exploit this to reset the user's password. (CVE-2014-2665)"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706601"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857"); script_set_attribute(attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2031"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2032"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4567"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4568"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4572"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6452"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6453"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6454"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-6472"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-1610"); script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2665"); script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/wheezy/mediawiki"); script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/wheezy/mediawiki-extensions"); script_set_attribute(attribute:"see_also", value:"http://www.debian.org/security/2014/dsa-2891"); script_set_attribute(attribute:"solution", value: "Upgrade the mediawiki packages. For the stable distribution (wheezy), these issues have been fixed in version 1:1.19.14+dfsg-0+deb7u1 of the mediawiki package and version 3.5~deb7u1 of the mediawiki-extensions package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"MediaWiki thumb.php page Parameter Remote Shell Command Injection"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MediaWiki Thumb.php Remote Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/30"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mediawiki-extensions"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Debian Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); include("misc_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item("Host/Debian/release"); if (empty_or_null(oslevel)) audit(AUDIT_OS_NOT, "Debian"); if (oslevel !~ "^7\.") audit(AUDIT_OS_NOT, "Debian 7", "Debian " + oslevel); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"mediawiki", reference:"1:1.19.14+dfsg-0+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-base", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-collection", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-geshi", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-graphviz", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-ldapauth", reference:"3.5~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"mediawiki-extensions-openid", reference:"3.5~deb7u1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, xss : TRUE, xsrf : TRUE, extra : deb_report_get() ); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2013-22047.NASL description - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki last seen 2020-03-17 modified 2013-12-14 plugin id 71407 published 2013-12-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71407 title Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-22047. # include("compat.inc"); if (description) { script_id(71407); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-4567", "CVE-2013-4568", "CVE-2013-4572"); script_bugtraq_id(63757, 63760, 63761); script_xref(name:"FEDORA", value:"2013-22047"); script_name(english:"Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55332> - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). <https://bugzilla.wikimedia.org/show_bug.cgi?id=53032> Additionally, the following extensions have been updated to fix security issues : - CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). <https://bugzilla.wikimedia.org/show_bug.cgi?id=54294> - ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). <https://bugzilla.wikimedia.org/show_bug.cgi?id=55991> - CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). <https://bugzilla.wikimedia.org/show_bug.cgi?id=40747> Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1030987" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=40747 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T42747" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T55032" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=54294 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T56294" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57332" ); # https://bugzilla.wikimedia.org/show_bug.cgi?id=55991 script_set_attribute( attribute:"see_also", value:"https://phabricator.wikimedia.org/T57991" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123834.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bb6debb6" ); script_set_attribute( attribute:"solution", value:"Update the affected mediawiki package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"mediawiki-1.21.3-1.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mediawiki"); }
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/122998.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=53032