[Mediawiki-l] MediaWiki 1.3.11 released [SECURITY]
brion at pobox.com
Mon Feb 21 06:38:06 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
MediaWiki 1.3.11 is a security release.
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
* Additional checks added to file upload to protect against MSIE and
~ Safari MIME-type autodetection bugs.
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.
Low-traffic release announcements mailing list:
Wiki admin help mailing list:
Bug report system:
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the MediaWiki-l