In association with heise online

17 December 2008, 14:00

Security update for MediaWiki

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

All MediaWiki users are advised by the developers to upgrade to MediaWiki 1.13.3 – 1.12.2 or 1.6.11, which have been released as a security update to the free software wiki package. David Remahl of Apple's Product Security team identified a number of security issues in the MediaWiki software, which in turn led the developers to further problems. Four vulnerabilities are closed by the update. Cross site scripting vulnerabilities were found in MediaWiki versions 1.13.0 to 1.13.2 and two local script injection vulnerabilities were identified for all MediaWiki versions with uploads enabled. A CSRF (Cross-Site Resource Forgery) vulnerability was discovered in the Special:Import feature, which could allow an attacker to access a legitimate users session on a wiki.

The developers have put an update for 1.12.2 online, but this is unfortunately broken and users are directed to pull the 1.12.2 updates directly from the Subversion repository.

See also:

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-739403
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit