Hi Tim, thanks a lot. I assume that for 1.13.4, if we dont have that config directory on the server, then the installation is safe and I wont need to upgrade, correct? Eric
--- On Fri, 2/6/09, Tim Starling tstarling@wikimedia.org wrote:
From: Tim Starling tstarling@wikimedia.org Subject: [Mediawiki-l] MediaWiki releases: security update and new major branch To: mediawiki-announce@lists.wikimedia.org, mediawiki-l@lists.wikimedia.org, wikitech-l@lists.wikimedia.org Date: Friday, February 6, 2009, 10:34 PM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This is a security release of 1.13.4, 1.12.4 and 1.6.12.
A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated.
Note that cross-site scripting vulnerabilities can be used to attack any website in the same cookie domain. So if you have an uninstalled copy of MediaWiki on the same site as an active web service, MediaWiki could be used to attack the active service.
If you are hosting an old copy of MediaWiki that you have never installed, we advise you to remove it from the web.
Additionally, we are releasing 1.14.0rc1, the first release candidate of the 2009 Q1 branch. Brave souls are encouraged to download it and try it out.
Note that we have disabled SQLite installation in 1.14, due to the incompleteness of the implementation. We intend to restore it in 1.15. We're not sure how many people are using SQLite, so contact us if our treatment of it is causing you problems.
Upgrade FAQ: http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_14_0RC1/phase3/RELEASE-... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_4/phase3/RELEASE-NOT... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_4/phase3/RELEASE-NOT... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_12/phase3/RELEASE-NOT...
********************************************************************** MEDIAWIKI 1.14.0rc1 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.0rc1.tar.gz
Patch generation failed due to changes in binary files.
GPG signature: http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.0rc1.tar.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** MEDIAWIKI 1.13.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.4.tar.gz
Patch to previous version (1.13.3), without interface text: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.4.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** MEDIAWIKI 1.12.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.4.tar.gz
Patch to previous version (1.12.3), without interface text: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.4.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** MEDIAWIKI 1.6.12 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.12.tar.gz
Patch to previous version (1.6.11): http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.12.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.12.tar.gz.sig http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.12.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
- -- Tim Starling
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Hello,
I need some help by my extensions. I don't know why I get this output on the page: 1 2 0 (http://wiki.keb-vogelsberg.de/index.php?title=Hauptseite) by the input <toolserver_poll id=2></toolserver_poll>
Zu Deutsch:
Hallo,
Ich brauche Hilfe bei meiner Mediawiki-Erweiterung. Ich kann mir nicht erklären, warum ich dieses Ergebnis auf der Seite erhalte: 1 2 0 (http://wiki.keb-vogelsberg.de/index.php?title=Hauptseite)
Code of the Extensions:
<?php
/**
* Toolserver Poll - Include the Toolserver-Poll-Skript(http://toolserver.org/~jan/poll/index.php)
*
* To activate this extension, add the following into your LocalSettings.php file:
* require_once("$IP/extensions/Toolserver_Poll/toolserver_poll.php");
*
* @ingroup Extensions
* @author Jan Luca jan@toolserver.org
* @version 1.0 Alpha
* @link http://www.mediawiki.org/wiki/Extension:MyExtension Documentation
* @license http://creativecommons.org/licenses/by-sa/3.0/ Attribution-Share Alike 3.0 Unported or later
*/
/**
* Protect against register_globals vulnerabilities.
* This line must be present before any global variable is referenced.
*/
if( !defined( 'MEDIAWIKI' ) ) {
echo( "This is an extension to the MediaWiki package and cannot be run standalone.\n" );
die( -1 );
}
// Extension credits that will show up on Special:Version
$wgExtensionCredits['parserhook'][] = array(
'name' => 'Toolserver Poll',
'version' => '1.0 Alpha',
'author' => 'Jan Luca',
'url' => 'http://www.mediawiki.org/wiki/Extension:Toolserver_poll',
'descriptionmsg'=> 'descript_msg'
);
//Avoid unstubbing $wgParser on setHook() too early on modern (1.12+) MW versions, as per r35980
if ( defined( 'MW_SUPPORTS_PARSERFIRSTCALLINIT' ) ) {
$wgHooks['ParserFirstCallInit'][] = 'eftoolserver_pollSetup';
} else { // Otherwise do things the old fashioned way
$wgExtensionFunctions[] = 'eftoolserver_pollSetup';
}
$wgExtensionMessagesFiles['toolserver_poll'] = dirname( __FILE__ ) . '/toolserver_poll.i18n.php';
function eftoolserver_pollSetup() {
global $wgParser;
$wgParser->setHook( 'toolserver_poll', 'eftoolserver_pollRender' );
return true;
}
function get_request($server,$page,$ignore_redir=false,$it=0) {
global $count;
$count++;
//$cookies=cookiestring($server);
$fp = fsockopen ($server, 80, $errno, $errstr, 10);
if (!$fp) {
if($it < 4) { get_request($server,$page,$ignore_redir,$it+1); } else { echo "get_request($server,$page) fehlgeschlagen: $errstr!<br />\n"; }
} else {
fputs ($fp,"GET $page HTTP/1.1
Host: $server
Cookie: $cookies
User-Agent: ".USERAGENT."
\r\n\r\n");
while (!feof($fp)) {
$buf.= fgets($fp,128);
}
fclose($fp);
$buf2=getheaders($buf);
preg_match('@Location: http://(.*)/(.*)%5Cr%5Cn@iU%27,$buf2,$hit);
if($hit[1]!="" && (!$ignore_redir)) {
$buf=get_request($hit[1],"/".$hit[2]);
}
//update_cookies(getheaders($buf),$server);
flush();
return $buf;
}
}
function getheaders($buf) {
preg_match ("/^(.*)\r\n\r\n/is",$buf,$hit);
return $hit[1];
}
function removeheaders($buf) {
preg_match ("/\r\n\r\n(.*)$/is",$buf,$hit);
return $hit[1];
}
function eftoolserver_pollRender( $input, $args, $parser ) {
foreach( $args as $name => $value )
$id = htmlspecialchars( $value );
$get_server = removeheaders(get_request('toolserver.org','/~jan/poll/dev/main.php?page=wik i_output&id='.$id.''));
if(isset($get_server)) {
return $get_server;
}
else {
return "nicht funktioniert";
}
}
Code von main.php:
$page = $_GET['page'];
...
if($page == "wiki_output") {
$wiki_id = $_GET['id'];
echo $wiki_id;
}
MfG
Jan Luca
Eric K wrote:
Hi Tim, thanks a lot. I assume that for 1.13.4, if we dont have that config directory on the server, then the installation is safe and I wont need to upgrade, correct?
Correct.
-- Tim Starling
mediawiki-l@lists.wikimedia.org