Vulnerabilities > CVE-2015-2936 - Resource Management Errors vulnerability in Mediawiki 1.24.0/1.24.1

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2015:200. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(82686);
  script_version("1.6");
  script_cvs_date("Date: 2019/08/02 13:32:57");

  script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940");
  script_bugtraq_id(73477);
  script_xref(name:"MDVSA", value:"2015:200");

  script_name(english:"Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:200)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandriva Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated mediawiki packages fix security vulnerabilities :

In MediaWiki before 1.23.9, one could circumvent the SVG MIME
blacklist for embedded resources. This allowed an attacker to embed
JavaScript in the SVG (CVE-2015-2931).

In MediaWiki before 1.23.9, the SVG filter to prevent injecting
JavaScript using animate elements was incorrect (CVE-2015-2932).

In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to
the way attributes were expanded in MediaWiki's Html class, in
combination with LanguageConverter substitutions (CVE-2015-2933).

In MediaWiki before 1.23.9, MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could
be used to inject JavaScript (CVE-2015-2934).

In MediaWiki before 1.23.9, one could bypass the style filtering for
SVG files to load external resources. This could violate the anonymity
of users viewing the SVG (CVE-2015-2935).

In MediaWiki before 1.23.9, MediaWiki versions using PBKDF2 for
password hashing (not the default for 1.23) are vulnerable to DoS
attacks using extremely long passwords (CVE-2015-2936).

In MediaWiki before 1.23.9, MediaWiki is vulnerable to Quadratic
Blowup DoS attacks, under both HHVM and Zend PHP (CVE-2015-2937).

In MediaWiki before 1.23.9, the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege
escalation (CVE-2015-2938).

In MediaWiki before 1.23.9, function names were not sanitized in Lua
error backtraces, which could lead to XSS (CVE-2015-2939).

In MediaWiki before 1.23.9, the CheckUser extension did not prevent
CSRF attacks on the form allowing checkusers to look up sensitive
information about other users. Since the use of CheckUser is logged,
the CSRF could be abused to defame a trusted user or flood the logs
with noise (CVE-2015-2940).

The mediawiki package has been updated to version 1.23.9, fixing these
issues and other bugs."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2015-0142.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-sqlite");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-1.23.9-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-mysql-1.23.9-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-pgsql-1.23.9-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-sqlite-1.23.9-1.mbs1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84164);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2014-9714",
    "CVE-2015-2931",
    "CVE-2015-2932",
    "CVE-2015-2933",
    "CVE-2015-2934",
    "CVE-2015-2935",
    "CVE-2015-2936",
    "CVE-2015-2937",
    "CVE-2015-2938",
    "CVE-2015-2939",
    "CVE-2015-2940",
    "CVE-2015-2941",
    "CVE-2015-2942"
  );
  script_bugtraq_id(73477, 74061);

  script_name(english:"MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities");
  script_summary(english:"Checks the MediaWiki version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version number, the MediaWiki application running on
the remote host is affected by the following vulnerabilities :

  - An input validation error exists related to handling
    API errors that allows reflected cross-site scripting
    attacks. (CVE-2014-9714, CVE-2015-2941)

  - An input validation error exists related to SVG file
    uploads that allows stored cross-site scripting attacks
    by bypassing a missing MIME type blacklist.
    (CVE-2015-2931)

  - An input validation error exists related to the handling
    of JavaScript used to animate elements in the
    'includes/upload/UploadBase.php' script that allows a
    remote attacker to bypass the blacklist filter.
    (CVE-2015-2932)

  - An input validation error exists in the
    'includes/Html.php' script that allows stored cross-site
    scripting attacks. (CVE-2015-2933)

  - A flaw in the 'includes/libs/XmlTypeCheck.php' script
    allows a remote attacker to bypass the SVG filter by
    encoding SVG entities. (CVE-2015-2934)

  - A flaw in the 'includes/upload/UploadBase.php' script
    allows a remote attacker to bypass the SVG filter and
    de-anonymize the wiki readers. This issue exists due to
    an incomplete fix for CVE-2014-7199. (CVE-2015-2935)

  - A denial of service vulnerability exists due to a flaw
    in the handling of hashing large PBKDF2 passwords.
    (CVE-2015-2936)

  - A denial of service vulnerability exists due to an XML
    external entity injection (XXE) flaw that is triggered
    by the parsing of crafted XML data. (CVE-2015-2937)

  - An input validation error exists related to the
    user-supplied custom JavaScript that allows stored
    cross-site scripting attacks. (CVE-2015-2938)

  - An input validation error exists related to the
    Scribunto extension that allows stored cross-site
    scripting attacks. (CVE-2015-2939)

  - A flaw in the CheckUser extension allows cross-site
    request forgery attacks due to a flaw in which user
    rights are not properly checked. (CVE-2015-2940)

  - A denial of service vulnerability exists due to an
    XML external entity (XXE) injection flaw triggered by
    the parsing of crafted XML data in SVG or XMP files.
    (CVE-2015-2942)

  - A cross-site scripting vulnerability exists due to
    improper validation of input encoded entities in SVG
    files. An unauthenticated, remote attacker can exploit
    this, via a specially crafted request, to execute
    arbitrary script code in a user's browser session.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bfc5045c");
  script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.24");
  script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.9");
  script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.24#MediaWiki_1.24.2");
  script_set_attribute(attribute:"see_also", value:"https://blogs.securiteam.com/index.php/archives/2669");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki version 1.19.24 / 1.23.9 / 1.24.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2940");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/12");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mediawiki_detect.nasl");
  script_require_keys("Settings/ParanoidReport", "installed_sw/MediaWiki", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);
version = install['version'];
install_url = build_url(qs:install['path'], port:port);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (
  version =~ "^1\.19\.(\d|1\d|2[0-3])([^0-9]|$)" ||
  version =~ "^1\.23\.[0-8]([^0-9]|$)" ||
  version =~ "^1\.24\.[01]([^0-9]|$)"
)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
  set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  URL               : ' + install_url +
      '\n  Installed version : ' + version +
      '\n  Fixed versions    : 1.19.24 / 1.23.9 / 1.24.2' +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201510-05.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(86690);
  script_version("$Revision: 2.1 $");
  script_cvs_date("$Date: 2015/11/02 14:33:25 $");

  script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940", "CVE-2015-2941", "CVE-2015-2942", "CVE-2015-6728", "CVE-2015-6729", "CVE-2015-6730", "CVE-2015-6731", "CVE-2015-6732", "CVE-2015-6733", "CVE-2015-6734", "CVE-2015-6735", "CVE-2015-6736", "CVE-2015-6737");
  script_xref(name:"GLSA", value:"201510-05");

  script_name(english:"GLSA-201510-05 : MediaWiki: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201510-05
(MediaWiki: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MediaWiki. Please
      review the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker may be able to create a Denial of Service condition,
      obtain sensitive information, bypass security restrictions, and inject
      arbitrary web script or HTML.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201510-05"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All MediaWiki 1.25 users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.25.2'
    All MediaWiki 1.24 users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.24.3'
    All MediaWiki 1.23 users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.23.10'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mediawiki");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/02");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"www-apps/mediawiki", unaffected:make_list("ge 1.25.2", "rge 1.24.3", "rge 1.23.10"), vulnerable:make_list("lt 1.25.2"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MediaWiki");
}