Bug #697451 “CVE-2011-0003: clickjacking vulnerability in mediaw...” : Bugs : mediawiki package : Ubuntu

Revision history for this message

In MediaWiki bug tracker #26561, Tim Starling (tstarling) wrote on 2011-01-04:

#7

Clickjacking is a type of vulnerability discovered in 2008, which is similar to CSRF.

The attack involves displaying the target webpage in a iframe embedded in a malicious website. Using CSS, the submit button of the form on the target webpage is made invisible, and then overlaid with some button or link on the malicious website that encourages the user to click on it. For more information, see:

http://en.wikipedia.org/wiki/Clickjacking
http://www.owasp.org/index.php/Clickjacking

Web browsers have standardised on a defence called X-Frame-Options, which puts the onus on the web application to prevent framing of sensitive content.

Wikipedia user PleaseStand brought it to our attention that despite the passage of more than two years, MediaWiki still had no defence against clickjacking. PleaseStand pointed out that when user or site JavaScript or CSS is enabled ($wgAllowUserJs, $wgAllowUserCss, $wgUseSiteJs or $wgUseSiteCss), clickjacking is essentially equivalent to cross-site scripting (XSS), that is to say, it allows full compromise of the account of the user visiting the malicious website.

A fix will be shortly released, in MediaWiki 1.16.1. Our approach is to allow framing of basic page views and search pages, but to deny framing of special pages unless they have explicitly opted out of clickjacking protection. By taking this moderate approach, instead of denying all framing, we hope to avoid having system administrators disable the security feature by patching it out.

Security-conscious system administrators may wish to disable framing entirely using $wgBreakFrames = true. In MediaWiki 1.16.1 or later, this will provide protection against clickjacking vulnerabilities in extensions which opt out incorrectly or embed sensitive forms on pages which are opted out.

Alternatively, you can configure your web server to send an X-Frame-Options header on all pages. For example with Apache mod_headers:

Header always set X-Frame-Options DENY

For MediaWiki 1.15.x or earlier branches, we will provide a simplified security patch which denies all framing.

Extensions which wish to allow framing on a given page should do so by calling $wgOut->allowClickjacking(). This should only be done on pages which do not contain CSRF-protected forms or links. Any extension which embeds a CSRF-protected form in an unprotected article view page should call $wgOut->preventClickjacking(), after Article::view() has called $wgOut->allowClickjacking(), to reset the flag.

To be protected against clickjacking, all users need to use a browser which supports the X-Frame-Options header. Our patch does include standard frame-breaking JavaScript code, but this is known to be insufficient for most browsers. See the OWASP article for more details. For information on supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

Clickjacking is a type of vulnerability discovered in 2008, which is similar to CSRF.

The attack involves displaying the target webpage in a iframe embedded in a malicious website. Using CSS, the submit button of the form on the target webpage is made invisible, and then overlaid with some button or link on the malicious website that encourages the user to click on it. For more information, see:

http://en.wikipedia.org/wiki/Clickjacking
  http://www.owasp.org/index.php/Clickjacking

Web browsers have standardised on a defence called X-Frame-Options, which puts the onus on the web application to prevent framing of sensitive content.

Wikipedia user PleaseStand brought it to our attention that despite the passage of more than two years, MediaWiki still had no defence against clickjacking. PleaseStand pointed out that when user or site JavaScript or CSS is enabled ($wgAllowUserJs, $wgAllowUserCss, $wgUseSiteJs or $wgUseSiteCss), clickjacking is essentially equivalent to cross-site scripting (XSS), that is to say, it allows full compromise of the account of the user visiting the malicious website.

A fix will be shortly released, in MediaWiki 1.16.1. Our approach is to allow framing of basic page views and search pages, but to deny framing of special pages unless they have explicitly opted out of clickjacking protection. By taking this moderate approach, instead of denying all framing, we hope to avoid having system administrators disable the security feature by patching it out.

Security-conscious system administrators may wish to disable framing entirely using $wgBreakFrames = true. In MediaWiki 1.16.1 or later, this will provide protection against clickjacking vulnerabilities in extensions which opt out incorrectly or embed sensitive forms on pages which are opted out.

Alternatively, you can configure your web server to send an X-Frame-Options header on all pages. For example with Apache mod_headers:

Header always set X-Frame-Options DENY

For MediaWiki 1.15.x or earlier branches, we will provide a simplified security patch which denies all framing.

Extensions which wish to allow framing on a given page should do so by calling $wgOut->allowClickjacking(). This should only be done on pages which do not contain CSRF-protected forms or links. Any extension which embeds a CSRF-protected form in an unprotected article view page should call $wgOut->preventClickjacking(), after Article::view() has called $wgOut->allowClickjacking(), to reset the flag.

To be protected against clickjacking, all users need to use a browser which supports the X-Frame-Options header. Our patch does include standard frame-breaking JavaScript code, but this is known to be insufficient for most browsers. See the OWASP article for more details. For information on supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

Revision history for this message

In MediaWiki bug tracker #26561, Tim Starling (tstarling) wrote on 2011-01-04:

#8

Fixed in trunk in r79561.

Release announcement:
<http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-January/000093.html>

Simplified patch for 1.15.x:
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566

Revision history for this message

In Red Hat Bugzilla #667201, Vincent (vincent-redhat-bugs) wrote on 2011-01-04:

#11

This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=667199

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Revision history for this message

Jonathan Wiltshire (jwiltshire) wrote on 2011-01-04:

#1

CVE-2011-0003.patch Edit (1.0 KiB, text/plain)

description:

updated

Jonathan Wiltshire (jwiltshire) on 2011-01-04

Changed in mediawiki (Debian):
status:	New → In Progress

Jonathan Wiltshire (jwiltshire) on 2011-01-10

Changed in mediawiki (Debian):
status:	In Progress → Fix Released
Changed in mediawiki (Ubuntu):
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-11:

#2

Subscribing ubuntu-security-sponsors and marking Confirmed as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors.

visibility:	private → public
Changed in mediawiki (Ubuntu):
status:	In Progress → Confirmed
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-11:

#3

This was fixed in 1:1.15.5-2 on Natty.

Changed in mediawiki (Ubuntu Natty):
status:	Confirmed → Fix Released
Changed in mediawiki (Ubuntu Lucid):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in mediawiki (Ubuntu Maverick):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in mediawiki (Ubuntu Karmic):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-09:

#12

mediawiki-1.16.2-56.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc14

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-09:

#13

mediawiki-1.16.2-56.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc13

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-09:

#14

mediawiki-1.16.2-56.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc15

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-16:

#15

mediawiki-1.16.4-57.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc14

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-16:

#16

mediawiki-1.16.4-57.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc13

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-16:

#17

mediawiki-1.16.4-57.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc15

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-16:

#18

Package mediawiki-1.16.4-57.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mediawiki-1.16.4-57.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc14
then log in and leave karma (feedback).

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-21:

#19

mediawiki-1.16.4-57.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-22:

#20

mediawiki-1.16.4-58.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc14

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-22:

#21

mediawiki-1.16.4-58.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc13

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-22:

#22

mediawiki-1.16.4-58.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc15

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-26:

#23

mediawiki-1.16.4-58.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-30:

#24

mediawiki-1.16.4-58.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

In Red Hat Bugzilla #667201, Fedora (fedora-redhat-bugs) wrote on 2011-04-30:

#25

mediawiki-1.16.4-58.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#4

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mediawiki (Ubuntu Karmic):
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#5

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in mediawiki (Ubuntu Hardy):
status:	New → Won't Fix
Changed in mediawiki:
status:	Unknown → Incomplete
Changed in mediawiki (Ubuntu):
status:	Fix Released → Incomplete
Changed in mediawiki (Ubuntu Lucid):
status:	Confirmed → Incomplete
Changed in mediawiki (Ubuntu Maverick):
status:	Confirmed → Incomplete
Changed in mediawiki (Ubuntu Natty):
status:	Fix Released → Incomplete
Changed in mediawiki (Ubuntu Hardy):
status:	Won't Fix → Incomplete
Changed in mediawiki (Ubuntu Karmic):
status:	Won't Fix → Incomplete
Changed in mediawiki (Fedora):
status:	Unknown → Incomplete

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#6

Thank you for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in mediawiki:
importance:	Unknown → Undecided
status:	Incomplete → New

Jamie Strandboge (jdstrand) on 2011-10-14

Changed in mediawiki:
importance:	Undecided → Unknown
status:	New → Unknown
Changed in mediawiki (Ubuntu Lucid):
status:	Incomplete → Fix Released
Changed in mediawiki (Ubuntu Natty):
status:	Incomplete → Fix Released
Changed in mediawiki (Ubuntu Lucid):
status:	Fix Released → Incomplete
Changed in mediawiki (Ubuntu Karmic):
status:	Incomplete → Won't Fix
Changed in mediawiki (Ubuntu Hardy):
status:	Incomplete → Won't Fix
Changed in mediawiki (Ubuntu):
status:	Incomplete → Fix Released

Bug Watch Updater (bug-watch-updater) on 2012-04-13

Changed in mediawiki:
importance:	Unknown → High
status:	Unknown → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-13:

#9

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-23:

#10

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in mediawiki (Ubuntu):
status:	Fix Released → Invalid
Changed in mediawiki (Ubuntu Lucid):
status:	Incomplete → Invalid
Changed in mediawiki (Ubuntu Maverick):
status:	Incomplete → Invalid
Changed in mediawiki (Ubuntu Natty):
status:	Fix Released → Invalid
Changed in mediawiki (Ubuntu Hardy):
status:	Won't Fix → Invalid
Changed in mediawiki (Ubuntu Karmic):
status:	Won't Fix → Invalid
Changed in mediawiki (Fedora):
status:	Incomplete → Invalid

Bug Watch Updater (bug-watch-updater) on 2017-10-27

Changed in mediawiki (Fedora):
importance:	Unknown → Medium
status:	Invalid → Fix Released

Ubuntu
mediawiki package

CVE-2011-0003: clickjacking vulnerability in mediawiki <1.16.1

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
MediaWiki	Fix Released	High	mediazilla #26561
mediawiki (Debian)	Fix Released	Undecided	Unassigned
mediawiki (Fedora)	Fix Released	Medium	redhat-bugs #667201
mediawiki (Ubuntu)	Invalid	Medium	Unassigned
Hardy	Invalid	Undecided	Unassigned
Karmic	Invalid	Medium	Unassigned
Lucid	Invalid	Medium	Unassigned
Maverick	Invalid	Medium	Unassigned
Natty	Invalid	Medium	Unassigned

Ubuntumediawiki package

CVE-2011-0003: clickjacking vulnerability in mediawiki <1.16.1

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
mediawiki package