[MediaWiki-l] Security announcement for CentralAuth extension

Brian Wolff bwolff at wikimedia.org
Wed Jul 19 05:07:59 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello everyone.

This is a security announcement for the CentralAuth
extension. There were 2 issues discovered in the
extension, and all users are strongly encouraged to
upgrade.

Issue 1: XSS in Special:GlobalGroupPermissions

Due to a lack of escaping in the
Special:GlobalGroupPermissions page, an attacker
would be able to inject arbitrary javascript into
the page, potentially leading to the take over
of other user's accounts.

The fix for this issue was accidentally included
in another patch - fadb367ad (February 1, 2017).
If you are using the master branch of the
extension, you need to ensure that your
copy is newer than February 1.

All versions of the REL1_29 branch have this
fix.

For REL1_28 please ensure that you have the
commit 1e9d612 (July 19, 2017)

For REL1_27 please ensure that you have the
commit aa3401503 (July 19, 2017)

This issue was discovered by Grunny.

For more information, please see:
https://phabricator.wikimedia.org/T134863

Issue 2: Open redirect in AutoLogin

An attacker can cause a user who is
globally logged in, but not logged in
on a specific wiki, to be redirected
to an arbitrary interwiki link, even
for interwiki prefixes without the
iw_local bit set.

To get the fix for this issue, please
ensure that your copy of CentralAuth
is from at least July 19, 2017

Associated git commits:
* Master: 6a84c0cb4e31
* REL1_29: 2a220af1e4ac
* REL1_28: 4acfa2865a05
(Now requires at least 1.28.1)
* REL1_27: 4db90e20808f
(Now requires at least 1.27.2)

Associated bug:
https://phabricator.wikimedia.org/T134931

Sincerely,

Brian Wolff
Wikimedia Security Team

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJZbudjAAoJEDYflDsVwI3Ux1AQAJXV2pcQicZzApo+WUbqD5aS
5GSEmNlLsS5E16r/tYU2Fhih2qxPJ/iNYCjQI0xZPDWPmi3r8aErEwMs4XS9bfjW
EG/uUsS0DPu9U7BJ+x2h3vOmUFyhyIWHhHMV+6OIAXWyb5Pzm0+oiE8Cw7wx7NId
ZsgTom0T0abXd597mzUomQbGLUPl4gWBbZYqclP9VS8S1xX6ci+UAo0D2hTe9bPN
r0K2C7cmYY0Ltpr2dy9lP3TeEOhsYK3/KQVLZkpTI6h2WZKZSnQKPJzF/qPJEdP8
Zni5zE7heMo+mgXBb6Vcl/+5CDgdxndbdAz9qrgRM51AbF/IfjQAahrs3uc+C7Le
2/zTNkUVxgCyWRrsDVjU8HJHeB/d26fZDNr8cGkXP6BZuTs3bKGG5gCZIVIRmoO8
cMJx0y0vCudDelIFXyE0NssKbKjyUeRZ9djw/kpIQ29CpR211lZuy5tPWB5Tr7/s
9CiwJUPyOjLV6N1icGC3pZfzwxPseJXSY+/J/PwPfwqn/z3IdTiKW9+NfFvp1Tvb
JIPt3ZUN/WbySdGlkTw0fNUo+ILSceDw7cdmRcm08UIV8Ce/xmLhHKF9uinXbAOU
Me0yjKLzHDIZBCCYdZJNPUzRZY+n63Sq0+22Ub4Tv348Pk8kIqtyY+gZuM6l7oMu
SW9yOQQSc5TxNLrPsCUP
=b2xq
-----END PGP SIGNATURE-----



More information about the MediaWiki-l mailing list