Arch Linux 2015-12-25 Medium: MediaWiki XSS And Info Leak Issues

The package mediawiki before version 1.26.2-1 is vulnerable to multiple issues including XSS, timing attack, sensitive information leak, password-policy bypass and IP-blocking bypass.

Arch Linux Security Advisory ASA-201512-15
=========================================
Severity: Medium
Date    : 2015-12-25
CVE-ID  : CVE-2015-8622 CVE-2015-8624 CVE-2015-8625 CVE-2015-8626
CVE-2015-8627 CVE-2015-8628
Package : mediawiki
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package mediawiki before version 1.26.2-1 is vulnerable to multiple
issues including XSS, timing attack, sensitive information leak,
password-policy bypass and IP-blocking bypass.

Resolution
=========
Upgrade to 1.26.2-1.

# pacman -Syu "mediawiki>=1.26.2-1"

The problem has been fixed upstream in version 1.26.1.

Workaround
=========
None.

Description
==========
- CVE-2015-8622:

(T117899) XSS from wikitext when $wgArticlePath='$1'. Internal review
discovered an XSS vector when MediaWiki is configured with a
non-standard configuration.

- CVE-2015-8624:

(T119309) User::matchEditToken should use constant-time string
comparison. Internal review discovered that tokens were being compared
as strings, which could allow a timing attack.

- CVE-2015-8625:

(T118032) Error thrown by VirtualRESTService when POST variable starts
with '@'. Internal review discovered that MediaWiki was not sanitizing
parameters passed to the curl library, which could cause curl to upload
files from the webserver to an attacker.

- CVE-2015-8626:

(T115522) Passwords generated by User::randomPassword() may be shorter
than $wgMinimalPasswordLength. MediaWiki user Frank R. Farmer reported
that the password reset token could be shorter than the minimum required
password length.

- CVE-2015-8627:

(T97897) Incorrect parsing of IPs for global block. Wikimedia steward
Vituzzu reported that blocking IP addresses with zero-padded octets
resulted in a failure to block the IP address.

- CVE-2015-8628:

(T109724) A combination of Special:MyPage redirects and pagecounts
allows an external site to know the wikipedia login of an user.
Wikimedia user Xavier Combelle reported a way to identify user, when
detailed page view data is also released.

Impact
=====
A remote attacker might be able to access sensitive information by
tricking the server into uploading file content or by a timing attack. A
remote attacker might be able to bypass password policy and IP blocking
measures.

References
=========
https://seclists.org/oss-sec/2015/q4/573






https://access.redhat.com/security/cve/CVE-2015-8622
https://access.redhat.com/security/cve/CVE-2015-8624
https://access.redhat.com/security/cve/CVE-2015-8625
https://access.redhat.com/security/cve/CVE-2015-8626
https://access.redhat.com/security/cve/CVE-2015-8627
https://access.redhat.com/security/cve/CVE-2015-8628