[MediaWiki-l] Security fixes for CentralAuth and MobileFrontend extensions

Chris Steipp csteipp at wikimedia.org
Wed Oct 8 21:18:00 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


A number of security issues in MediaWiki extensions have been fixed.
Users of these extensions should update to the latest version.

* CentralAuth: Internal review found multiple issues that have been resolved:
** (bug 70469) Special:MergeAccount failed to validate the anti-csrf
token in its forms when performing actions.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70469>
** (bug 70468) The internal function to attach multiple local wiki
accounts into a single, global account did not re-check that the
requesting user owned the "home wiki" for that username, but assumed
that user did own this account. This could allow a user to add their
local account edits to a global account that they didn't own.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70468>
** (bug 71749) Incomplete fix for bug 70468. The fix wasn't applied to
the new feature where accounts were globalized automatically on login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=71749>
** (bug 70620) When globally renaming a user, the antispoof table,
which prevents similar looking names from being created, weren't
updated. This potentially allowed another user to register an account
with a name that looked identical to the username of a user who had
been globally renamed.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70620>

* MobileFrontend: (bug 70009) Sherif Mansour discovered that POST
parameters were being added to links generated by MobileFrontend,
which could reveal the user's password after login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70009>


**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:MobileFrontend
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:MobileFrontend


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlQ1lJoACgkQ7h9mNGLYTwGdgAD/X7q6WfaBoE2SdKjZeoLE9yvs
wg07Fs4kytmmSQDXa4IBAKBgaYuhuRt5j+G5Q9YNdfCCkvlSqnz7heCIX1Ddn5ma
=cOb1
-----END PGP SIGNATURE-----



More information about the MediaWiki-l mailing list