[Mediawiki-l] MediaWiki 1.4rc1 released [SECURITY]

Brion Vibber brion at pobox.com
Mon Feb 21 06:38:58 UTC 2005

Hash: SHA1

MediaWiki 1.4rc1 is a security and bug fix release for the 1.4 beta

== Important security updates ==

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.

=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
~  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.

=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the
additional fields.

=== Directory traversal ===

An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.

== Changes since 1.4beta6 ==

* Fix notice error on nonexistent template in wikitext system message
* (bug 1469) add missing <ul> tags on Special:Log
* (bug 1470) remove extra <ul> tags from Danish log messages
* Fix notice on purge w/ squid mode off
* (bug 1477) hide details of SQL error messages by default
~  Set $wgShowSQLErrors = true for debugging.
* (bug 1430) Don't check for template data when editing page that
doesn't exist
* Recentchanges table purging fixed when using table prefix
* (bug 1431) Avoid redundant objectcache garbage collection
* (bug 1474) Switch to better-cached index for statistics page count
* Run Unicode normalization on all input fields
* Fix translation for allpagesformtext2 in LanguageZh_cn and LanguageZh_tw
* Block image revert without valid login
* (bug 1446) stub Bambara (bm) language file using French messages
* (bug 1432) Update Estonian localization
* (bug 1471) unclosed <p> tag in Danish messages
* convertLinks script fixes
* Corrections to template loop detection
* XHTML encoding fix for usernames containing & in Special:Emailuser
* (for zh) Search for variant links even when conversion is turned off,
~  to help prevent duplicate articles.
* Disallow ISO 8859-1 C1 characters and "no-break space" in user names
~  on Latin-1 wikis.
* Correct the name of the main page it LanguageIt
* Allow Special:Makesysop to work for usernames containing SQL special
~  characters.
* Fix annoying blue line in Safari on scaled-down images on description page
* Increase upload sanity checks
* Fix XSS bug in Media: links
* Add cross-site form submission protection to various actions
* Fix fatal error on some dubious page titles
* Stub threshold displays correctly again

Release notes:


Low-traffic release announcements mailing list:

Wiki admin help mailing list:

Bug report system:

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the MediaWiki-l mailing list