Vulnerabilities > CVE-2015-2936 - Resource Management Errors vulnerability in Mediawiki 1.24.0/1.24.1
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-200.NASL description Updated mediawiki packages fix security vulnerabilities : In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). In MediaWiki before 1.23.9, the SVG filter to prevent injecting JavaScript using animate elements was incorrect (CVE-2015-2932). In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to the way attributes were expanded in MediaWiki last seen 2020-06-01 modified 2020-06-02 plugin id 82686 published 2015-04-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82686 title Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:200) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2015:200. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(82686); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:57"); script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940"); script_bugtraq_id(73477); script_xref(name:"MDVSA", value:"2015:200"); script_name(english:"Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:200)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mediawiki packages fix security vulnerabilities : In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). In MediaWiki before 1.23.9, the SVG filter to prevent injecting JavaScript using animate elements was incorrect (CVE-2015-2932). In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to the way attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions (CVE-2015-2933). In MediaWiki before 1.23.9, MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript (CVE-2015-2934). In MediaWiki before 1.23.9, one could bypass the style filtering for SVG files to load external resources. This could violate the anonymity of users viewing the SVG (CVE-2015-2935). In MediaWiki before 1.23.9, MediaWiki versions using PBKDF2 for password hashing (not the default for 1.23) are vulnerable to DoS attacks using extremely long passwords (CVE-2015-2936). In MediaWiki before 1.23.9, MediaWiki is vulnerable to Quadratic Blowup DoS attacks, under both HHVM and Zend PHP (CVE-2015-2937). In MediaWiki before 1.23.9, the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (CVE-2015-2938). In MediaWiki before 1.23.9, function names were not sanitized in Lua error backtraces, which could lead to XSS (CVE-2015-2939). In MediaWiki before 1.23.9, the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users. Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise (CVE-2015-2940). The mediawiki package has been updated to version 1.23.9, fixing these issues and other bugs." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2015-0142.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mediawiki-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-mysql-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-pgsql-1.23.9-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"mediawiki-sqlite-1.23.9-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id MEDIAWIKI_1_24_2.NASL description According to its version number, the MediaWiki application running on the remote host is affected by the following vulnerabilities : - An input validation error exists related to handling API errors that allows reflected cross-site scripting attacks. (CVE-2014-9714, CVE-2015-2941) - An input validation error exists related to SVG file uploads that allows stored cross-site scripting attacks by bypassing a missing MIME type blacklist. (CVE-2015-2931) - An input validation error exists related to the handling of JavaScript used to animate elements in the last seen 2020-06-01 modified 2020-06-02 plugin id 84164 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84164 title MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84164); script_version("1.9"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-9714", "CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940", "CVE-2015-2941", "CVE-2015-2942" ); script_bugtraq_id(73477, 74061); script_name(english:"MediaWiki < 1.19.24 / 1.23.9 / 1.24.2 Multiple Vulnerabilities"); script_summary(english:"Checks the MediaWiki version."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the MediaWiki application running on the remote host is affected by the following vulnerabilities : - An input validation error exists related to handling API errors that allows reflected cross-site scripting attacks. (CVE-2014-9714, CVE-2015-2941) - An input validation error exists related to SVG file uploads that allows stored cross-site scripting attacks by bypassing a missing MIME type blacklist. (CVE-2015-2931) - An input validation error exists related to the handling of JavaScript used to animate elements in the 'includes/upload/UploadBase.php' script that allows a remote attacker to bypass the blacklist filter. (CVE-2015-2932) - An input validation error exists in the 'includes/Html.php' script that allows stored cross-site scripting attacks. (CVE-2015-2933) - A flaw in the 'includes/libs/XmlTypeCheck.php' script allows a remote attacker to bypass the SVG filter by encoding SVG entities. (CVE-2015-2934) - A flaw in the 'includes/upload/UploadBase.php' script allows a remote attacker to bypass the SVG filter and de-anonymize the wiki readers. This issue exists due to an incomplete fix for CVE-2014-7199. (CVE-2015-2935) - A denial of service vulnerability exists due to a flaw in the handling of hashing large PBKDF2 passwords. (CVE-2015-2936) - A denial of service vulnerability exists due to an XML external entity injection (XXE) flaw that is triggered by the parsing of crafted XML data. (CVE-2015-2937) - An input validation error exists related to the user-supplied custom JavaScript that allows stored cross-site scripting attacks. (CVE-2015-2938) - An input validation error exists related to the Scribunto extension that allows stored cross-site scripting attacks. (CVE-2015-2939) - A flaw in the CheckUser extension allows cross-site request forgery attacks due to a flaw in which user rights are not properly checked. (CVE-2015-2940) - A denial of service vulnerability exists due to an XML external entity (XXE) injection flaw triggered by the parsing of crafted XML data in SVG or XMP files. (CVE-2015-2942) - A cross-site scripting vulnerability exists due to improper validation of input encoded entities in SVG files. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bfc5045c"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.24"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.9"); script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.24#MediaWiki_1.24.2"); script_set_attribute(attribute:"see_also", value:"https://blogs.securiteam.com/index.php/archives/2669"); script_set_attribute(attribute:"solution", value: "Upgrade to MediaWiki version 1.19.24 / 1.23.9 / 1.24.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2940"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mediawiki_detect.nasl"); script_require_keys("Settings/ParanoidReport", "installed_sw/MediaWiki", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MediaWiki"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); version = install['version']; install_url = build_url(qs:install['path'], port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^1\.19\.(\d|1\d|2[0-3])([^0-9]|$)" || version =~ "^1\.23\.[0-8]([^0-9]|$)" || version =~ "^1\.24\.[01]([^0-9]|$)" ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); set_kb_item(name:'www/'+port+'/XSRF', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed versions : 1.19.24 / 1.23.9 / 1.24.2' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201510-05.NASL description The remote host is affected by the vulnerability described in GLSA-201510-05 (MediaWiki: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86690 published 2015-11-02 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86690 title GLSA-201510-05 : MediaWiki: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201510-05. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(86690); script_version("$Revision: 2.1 $"); script_cvs_date("$Date: 2015/11/02 14:33:25 $"); script_cve_id("CVE-2015-2931", "CVE-2015-2932", "CVE-2015-2933", "CVE-2015-2934", "CVE-2015-2935", "CVE-2015-2936", "CVE-2015-2937", "CVE-2015-2938", "CVE-2015-2939", "CVE-2015-2940", "CVE-2015-2941", "CVE-2015-2942", "CVE-2015-6728", "CVE-2015-6729", "CVE-2015-6730", "CVE-2015-6731", "CVE-2015-6732", "CVE-2015-6733", "CVE-2015-6734", "CVE-2015-6735", "CVE-2015-6736", "CVE-2015-6737"); script_xref(name:"GLSA", value:"201510-05"); script_name(english:"GLSA-201510-05 : MediaWiki: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201510-05 (MediaWiki: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201510-05" ); script_set_attribute( attribute:"solution", value: "All MediaWiki 1.25 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.25.2' All MediaWiki 1.24 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.24.3' All MediaWiki 1.23 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.23.10'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mediawiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/mediawiki", unaffected:make_list("ge 1.25.2", "rge 1.24.3", "rge 1.23.10"), vulnerable:make_list("lt 1.25.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MediaWiki"); }
References
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
- http://www.openwall.com/lists/oss-security/2015/04/01/1
- http://www.openwall.com/lists/oss-security/2015/04/07/3
- http://www.securityfocus.com/bid/73477
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
- https://phabricator.wikimedia.org/T64685
- https://security.gentoo.org/glsa/201510-05