BID:12625

MediaWiki Multiple Unspecified Remote Vulnerabilities

Info

MediaWiki Multiple Unspecified Remote Vulnerabilities

Bugtraq ID:	12625
Class:	Unknown
CVE:	CVE-2005-0534 CVE-2005-0535 CVE-2005-0536
Remote:	Yes
Local:	No
Published:	Feb 22 2005 12:00AM
Updated:	Jul 12 2009 10:56AM
Credit:	These issues were announced by the vendor.
Vulnerable:	MediaWiki MediaWiki 1.3.10 MediaWiki MediaWiki 1.3.9 MediaWiki MediaWiki 1.3.8 MediaWiki MediaWiki 1.3.7 MediaWiki MediaWiki 1.3.6 MediaWiki MediaWiki 1.3.5 MediaWiki MediaWiki 1.3.4 MediaWiki MediaWiki 1.3.3 MediaWiki MediaWiki 1.3.2 MediaWiki MediaWiki 1.3.1 MediaWiki MediaWiki 1.3 Gentoo Linux

Not Vulnerable:	MediaWiki MediaWiki 1.3.11 + Gentoo Linux

Discussion

MediaWiki Multiple Unspecified Remote Vulnerabilities

MediaWiki is reported prone to multiple remote vulnerabilities. The following individual issues are reported:

An unspecified cross-site scripting vulnerability is reported to affect MediaWiki.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user.

An unspecified directory traversal vulnerability is reported to affect MediaWiki. The issue is reported to exist in the site administration image deletion functionality.

A privileged remote attacker may exploit this vulnerability to deny service for legitimate users.

Exploit / POC

MediaWiki Multiple Unspecified Remote Vulnerabilities

No exploit is required.

Solution / Fix

MediaWiki Multiple Unspecified Remote Vulnerabilities

Solution:
The vendor has released MediaWiki version 1.3.11 to address these vulnerabilities.

Gentoo Linux has released an advisory (GLSA 200502-33) dealing with this issue. Gentoo advises that all MediaWiki users should upgrade to the latest available version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.3.11"

For more information please see the referenced Gentoo linux advisory.

MediaWiki MediaWiki 1.3