[manjaro-security] [arch-security] [ASA-201608-19] mediawiki: multiple issues

Fri Aug 26 17:34:25 CEST 2016

Arch Linux Security Advisory ASA-201608-19
==========================================

Severity: Medium
Date    : 2016-08-26
CVE-ID  : CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334
          CVE-2016-6335 CVE-2016-6336 CVE-2016-6337
Package : mediawiki
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package mediawiki before version 1.27.1-1 is vulnerable to multiple
issues including cross-site scripting, information disclosure and
permission bypass.

Resolution
==========

Upgrade to 1.27.1-1.

# pacman -Syu "mediawiki>=1.27.1-1"

The problems have been fixed upstream in version 1.27.1.

Workaround
==========

None.

Description
===========

- CVE-2016-6331 (permission bypass)

Check read permission when loading page content in ApiParse.  Prevents
leaking page contents for extensions that deny read rights to certain
pages via a userCan hook, but still allow the user to have read rights
in general.

- CVE-2016-6332 (permission bypass)

Make $wgBlockDisablesLogin also restrict logged in permissions.  Does
both Title and user related methods, so it catches things that only call
$wgUser->isAllowed( 'read' ), as well as giving a nicer error message
for things that use $title->userCan().  Otherwise, the user can still do
stuff and read pages if they have an ongoing session.

- CVE-2016-6333 (cross-site scripting)

Escape '<' and ']]>' in inline <style> blocks.  This is to prevent
people from closing the <style> tag, and then doing arbitrary js-y
things. In particular, this is needed for when previewing user css
pages.  This does not escape '>' since its used as the child selector in
css, and generally speaking, '>' is safe inside the contents of
elements.

- CVE-2016-6334 (cross-site scripting)

rawurldecode was being run on unclosed internal links which could allow
an attacker to insert arbitrary html into the page.

- CVE-2016-6335 (information disclosure)

API: Generate head items in the context of the given title.
$context->getOutput() returns an OutputPage tied to the main
RequestContext at the root of the chain, not to the modified context
we're actually using.

- CVE-2016-6336 (permission bypass)

Do not allow undeleting a revision deleted file if it is the top file.
This prevents admins being able to view suppressed files, by simply
deleting them, and then undeleting only the file revision that they want
to view.

- CVE-2016-6337 (permission bypass)

Move 'UserGetRights' call before application of
Session::getAllowedUserRights(). This prevents hook functions from
accidentally adding rights that should be denied based on the session
grants.  If some extension really needs to be able to override session
grants, add a new hook where the old call was, with documentation
explicitly warning about the security implications.

Impact
======

A remote attacker is able to execute arbitrary javascript code in the
victim's browser, bypass permissions or get information he/she isn't
supposed to see.

References
==========

https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6331
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6332
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6333
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6334
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6335
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6336
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6337
https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160826/8488d8f7/attachment.pgp>