Ubuntu
mediawiki package

[CVE-2008-4408] XSS attack vulnerability

Bug #290015 reported by Iain Lane
256
Affects Status Importance Assigned to Milestone
mediawiki (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Iain Lane
Intrepid
Fix Released
Undecided
Iain Lane

Bug Description

Binary package hint: mediawiki

Hi,

the following CVE (Common Vulnerabilities & Exposures) id was
published for mediawiki.

CVE-2008-4408[0]:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attackers
to inject arbitrary web script or HTML via the useskin parameter
to an unspecified component.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4408

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4408

Revision history for this message
Iain Lane (laney) wrote :
Revision history for this message
Iain Lane (laney) wrote :
Revision history for this message
Iain Lane (laney) wrote :

I don't have an exploit for this, I'm afraid.

Tested in Hardy and Intrepid both before and after by creating and updating wikipages, performing various administrative tasks and editing user settings (including skin previews, which is the feature that these patches touch). All seemed to work fine.

Gutsy and Dapper don't appear to be affected as they don't have the same code.

Jamie Strandboge (jdstrand)
Changed in mediawiki:
assignee: nobody → laney
status: New → In Progress
status: New → In Progress
assignee: nobody → laney
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your patches! Your intrepid debdiff had a typo in the distribution name, but in the interest of time, I have fixed it and am uploading.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.12.0-2ubuntu0.1

---------------
mediawiki (1:1.12.0-2ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE:
     Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
     and possibly other versions before 1.13.2 allows remote attackers
     to inject arbitrary web script or HTML via the useskin parameter
     to an unspecified component. (LP: #290015)
     - debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
       upstream/Debian patch.
     - CVE-2008-4408
     - http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115

 -- Iain Lane <email address hidden> Mon, 27 Oct 2008 19:27:33 +0000

Changed in mediawiki:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.11.2-2ubuntu0.1

---------------
mediawiki (1:1.11.2-2ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE:
     Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
     and possibly other versions before 1.13.2 allows remote attackers
     to inject arbitrary web script or HTML via the useskin parameter
     to an unspecified component. (LP: #290015)
     - debian/patches/CVE-2008-4408.patch: Address XSS vulnerability. Based on
       upstream/Debian patch.
     - CVE-2008-4408
     - http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=41540
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501115

 -- Iain Lane <email address hidden> Mon, 27 Oct 2008 20:17:44 +0000

Changed in mediawiki:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking Invalid as Jaunty's version (1:1.13.2-1) has the fix.

Changed in mediawiki:
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.