Our patch for the Internet Explorer 6 XSS issue (bug 28235) released two days ago in 1.16.3 was insufficient to fix that bug. The original reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we are doing another release, which contains a second attempt at fixing the issue.
Apologies to everyone for the inconvenience. Big thanks go to Masato Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan Kattouw who helped me test the patch this time around, so that we can hopefully avoid a repeat.
It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for Internet Explorer clients, version 6 and earlier. Also, if you used the Apache configuration I suggested in the previous release announcement, you should update it to:
RewriteEngine On RewriteCond %{QUERY_STRING} .[a-z0-9]{1,4}(#|?|$) [nocase] RewriteRule . - [forbidden]
We missed the fact that there can be more than one question mark in a URL. In certain circumstances, IE 6 will use a file extension immediately before a question mark character, regardless of how many question marks precede it. For example, with the URL:
http://example.com/a?b?c.html?d?e
IE 6 will see the file extension as ".html".
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz
Patch to previous version (1.16.3): http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html