Vulnerabilities > CVE-2015-2935 - Information Exposure vulnerability in Mediawiki
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-200.NASL description Updated mediawiki packages fix security vulnerabilities : In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). In MediaWiki before 1.23.9, the SVG filter to prevent injecting JavaScript using animate elements was incorrect (CVE-2015-2932). In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to the way attributes were expanded in MediaWiki last seen 2020-06-01 modified 2020-06-02 plugin id 82686 published 2015-04-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82686 title Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:200) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2015:200. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(82686); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:57"); script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940"); script_bugtraq_id(73477); script_xref(name:"MDVSA", value:"2015:200"); script_name(english:"Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:200)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mediawiki packages fix security vulnerabilities : In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). In MediaWiki before 1.23.9, the SVG filter to prevent injecting JavaScript using animate elements was incorrect (CVE-2015-2932). In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to the way attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions (CVE-2015-2933). In MediaWiki before 1.23.9, MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript (CVE-2015-2934). In MediaWiki before 1.23.9, one could bypass the style filtering for SVG files to load external resources. This could violate the anonymity of users viewing the SVG (CVE-2015-2935). In MediaWiki before 1.23.9, MediaWiki versions using PBKDF2 for password hashing (not the default for 1.23) are vulnerable to DoS attacks using extremely long passwords (CVE-2015-2936). In MediaWiki before 1.23.9, MediaWiki is vulnerable to Quadratic Blowup DoS attacks, under both HHVM and Zend PHP (CVE-2015-2937). In MediaWiki before 1.23.9, the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (CVE-2015-2938). In MediaWiki before 1.23.9, function names were not sanitized in Lua error backtraces, which could lead to XSS (CVE-2015-2939). In MediaWiki before 1.23.9, the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users. Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise (CVE-2015-2940). The mediawiki package has been updated to version 1.23.9, fixing these issues and other bugs." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2015-0142.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-mysql-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-pgsql-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-sqlite-1.23.9-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id MEDIAWIKI_1_24_2.NASL description According to its version number, the MediaWiki application running on the remote host is affected by the following vulnerabilities : - An input validation error exists related to handling API errors that allows reflected cross-site scripting attacks. (CVE-2014-9714, CVE-2015-2941) - An input validation error exists related to SVG file uploads that allows stored cross-site scripting attacks by bypassing a missing MIME type blacklist. (CVE-2015-2931) - An input validation error exists related to the handling of JavaScript used to animate elements in the last seen 2020-06-01 modified 2020-06-02 plugin id 84164 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84164 title MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84164); script_version("1.9"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-9714", "CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940", "CVE-2015-2941", "CVE-2015-2942" ); script_bugtraq_id(73477, 74061); script_name(english:"MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities"); script_summary(english:"Checks the MediaWiki version."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the MediaWiki application running on the remote host is affected by the following vulnerabilities : - An input validation error exists related to handling API errors that allows reflected cross-site scripting attacks. (CVE-2014-9714, CVE-2015-2941) - An input validation error exists related to SVG file uploads that allows stored cross-site scripting attacks by bypassing a missing MIME type blacklist. (CVE-2015-2931) - An input validation error exists related to the handling of JavaScript used to animate elements in the 'includes/upload/UploadBase.php' script that allows a remote attacker to bypass the blacklist filter. (CVE-2015-2932) - An input validation error exists in the 'includes/Html.php' script that allows stored cross-site scripting attacks. (CVE-2015-2933) - A flaw in the 'includes/libs/XmlTypeCheck.php' script allows a remote attacker to bypass the SVG filter by encoding SVG entities. (CVE-2015-2934) - A flaw in the 'includes/upload/UploadBase.php' script allows a remote attacker to bypass the SVG filter and de-anonymize the wiki readers. This issue exists due to an incomplete fix for CVE-2014-7199. (CVE-2015-2935) - A denial of service vulnerability exists due to a flaw in the handling of hashing large PBKDF2 passwords. (CVE-2015-2936) - A denial of service vulnerability exists due to an XML external entity injection (XXE) flaw that is triggered by the parsing of crafted XML data. (CVE-2015-2937) - An input validation error exists related to the user-supplied custom JavaScript that allows stored cross-site scripting attacks. (CVE-2015-2938) - An input validation error exists related to the Scribunto extension that allows stored cross-site scripting attacks. (CVE-2015-2939) - A flaw in the CheckUser extension allows cross-site request forgery attacks due to a flaw in which user rights are not properly checked. (CVE-2015-2940) - A denial of service vulnerability exists due to an XML external entity (XXE) injection flaw triggered by the parsing of crafted XML data in SVG or XMP files. (CVE-2015-2942) - A cross-site scripting vulnerability exists due to improper validation of input encoded entities in SVG files. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bfc5045c"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.24"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.9"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.24#MediaWiki_1.24.2"); script_set_attribute(attribute:"see_also", value:"https://blogs.securiteam.com/index.php/archives/2669"); script_set_attribute(attribute:"solution", value: "Upgrade to MediaWiki version 1.19.24 / 1.23.9 / 1.24.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2940"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mediawiki_detect.nasl"); script_require_keys("Settings/ParanoidReport", "installed_sw/MediaWiki", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MediaWiki"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); version = install['version']; install_url = build_url(qs:install['path'], port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^1\.19\.(\d|1\d|2[0-3])([^0-9]|$)" || version =~ "^1\.23\.[0-8]([^0-9]|$)" || version =~ "^1\.24\.[01]([^0-9]|$)" ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed versions : 1.19.24 / 1.23.9 / 1.24.2' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201510-05.NASL description The remote host is affected by the vulnerability described in GLSA-201510-05 (MediaWiki: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86690 published 2015-11-02 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86690 title GLSA-201510-05 : MediaWiki: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201510-05. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(86690); script_version("$Revision: 2.1 $"); script_cvs_date("$Date: 2015/11/02 14:33:25 $"); script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940", "CVE-2015-2941", "CVE-2015-2942", "CVE-2015-6728", "CVE-2015-6729", "CVE-2015-6730", "CVE-2015-6731", "CVE-2015-6732", "CVE-2015-6733", "CVE-2015-6734", "CVE-2015-6735", "CVE-2015-6736", "CVE-2015-6737"); script_xref(name:"GLSA", value:"201510-05"); script_name(english:"GLSA-201510-05 : MediaWiki: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201510-05 (MediaWiki: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201510-05" ); script_set_attribute( attribute:"solution", value: "All MediaWiki 1.25 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.25.2' All MediaWiki 1.24 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.24.3' All MediaWiki 1.23 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.23.10'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/mediawiki", unaffected:make_list("ge 1.25.2", "rge 1.24.3", "rge 1.23.10"), vulnerable:make_list("lt 1.25.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MediaWiki"); }
References
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
- http://www.openwall.com/lists/oss-security/2015/04/01/1
- http://www.openwall.com/lists/oss-security/2015/04/07/3
- http://www.securityfocus.com/bid/73477
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
- https://phabricator.wikimedia.org/T85349
- https://security.gentoo.org/glsa/201510-05