[Mediawiki-l] MediaWiki 1.3.11 released [SECURITY]

Brion Vibber brion at pobox.com
Mon Feb 21 06:38:06 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MediaWiki 1.3.11 is a security release.

== Important security updates ==

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.


=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
~  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.


=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the
additional fields.


=== Directory traversal ===

An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.



Release notes:
http://sourceforge.net/project/shownotes.php?release_id=307067

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.11.tar.gz?download

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCGYHOwRnhpk1wk44RAhlzAKDSk3J8cRhBxD/arNc84uaLqeKAtgCfcJ2m
VRX58OZ0qf0b1dqhmfMFFe4=
=oYqv
-----END PGP SIGNATURE-----



More information about the MediaWiki-l mailing list