Maniphest T87275

MediaWiki Security release 1.24.2
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	csteipp
	Jan 20 2015, 11:02 PM

Tags

Referenced Files

	F107424: mediawiki-1.23.9.patch.gz
	Mar 31 2015, 1:34 PM

	F107423: mediawiki-1.19.24.patch.gz
	Mar 31 2015, 1:34 PM

	F107425: mediawiki-1.24.2.patch.gz
	Mar 31 2015, 1:34 PM

	F107420: mediawiki-i18n-1.23.9.patch.gz
	Mar 31 2015, 1:34 PM

	F107421: mediawiki-i18n-1.24.2.patch.gz
	Mar 31 2015, 1:34 PM

	F107422: mediawiki-i18n-1.19.24.patch.gz
	Mar 31 2015, 1:34 PM

Subscribers

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		csteipp	T88120 Release MW 1.24.2 and 1.23.9 tarballs
		Resolved		csteipp	T85862 Make iSec assessment public
		Declined		csteipp	T85860 User access roles are public
		Resolved		Bawolff	T85856 Add warning to user Javascript files, warning the contents is public
					Restricted Task
		Resolved		csteipp	T89744 External reference in PDF
		Resolved		csteipp	T89745 Stored XSS in PDF files
		Resolved		csteipp	T87275 MediaWiki Security release 1.24.2
		Resolved		csteipp	T86711 Fix SVG blacklist for animate
		Resolved		csteipp	T85850 Stored XSS in SVG via embedded SVG
		Resolved		csteipp	T85858 Check User page lacks CSRF protection
		Resolved		Parent5446	T64685 Extremely large passwords as DoS
		Resolved		csteipp	T73394 XSS in language converter when used with Html class's tricky escaping
		Resolved		Parent5446	T85349 SVG @import style validation bypass
		Resolved		csteipp	T85851 Reflected XSS in api.php using wddx formatting
		Resolved		csteipp	T85113 Function names aren't sanitized in Lua error backtraces
		Resolved		csteipp	T71210 MediaWiki is vulnerable to XML quadratic blowup attacks
		Resolved		csteipp	T85848 Billion Laughs attack in SVG and XMP Metadata
		Resolved		csteipp	T88310 xml_parse doesn't expand internal entities sometimes
		Resolved		csteipp	T85855 Custom JavaScript may yield privilege escalation

Event Timeline

csteipp created this task.Jan 20 2015, 11:02 PM

csteipp claimed this task.

csteipp raised the priority of this task from to Medium.

csteipp updated the task description. (Show Details)

csteipp added a project: acl*security.

csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".

csteipp changed the edit policy from "All Users" to "Custom Policy".

csteipp changed Security from None to Software security bug.

csteipp added a subscriber: csteipp.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2015, 11:02 PM

csteipp added subtasks: T86711: Fix SVG blacklist for animate, T85850: Stored XSS in SVG via embedded SVG, T85858: Check User page lacks CSRF protection, T64685: Extremely large passwords as DoS, T73394: XSS in language converter when used with Html class's tricky escaping, T85349: SVG @import style validation bypass, T85851: Reflected XSS in api.php using wddx formatting, T85848: Billion Laughs attack in SVG and XMP Metadata, T85113: Function names aren't sanitized in Lua error backtraces.Jan 20 2015, 11:08 PM

csteipp closed subtask T86711: Fix SVG blacklist for animate as Resolved.Jan 20 2015, 11:11 PM

csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.

csteipp closed subtask T85858: Check User page lacks CSRF protection as Resolved.

csteipp closed subtask T85349: SVG @import style validation bypass as Resolved.Jan 20 2015, 11:13 PM

csteipp closed subtask T85113: Function names aren't sanitized in Lua error backtraces as Resolved.Jan 20 2015, 11:15 PM

csteipp closed subtask T64685: Extremely large passwords as DoS as Resolved.Jan 23 2015, 8:10 PM

csteipp reopened subtask T85850: Stored XSS in SVG via embedded SVG as Open.Jan 28 2015, 12:26 AM

Legoktm added a parent task: T88120: Release MW 1.24.2 and 1.23.9 tarballs.Jan 30 2015, 9:43 PM

csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.Feb 17 2015, 11:56 PM

csteipp added subtasks: T89745: Stored XSS in PDF files, T89744: External reference in PDF.Feb 21 2015, 12:46 AM

Wondering whether to also add T72510 which has a patch waiting since December.

csteipp closed subtask T85848: Billion Laughs attack in SVG and XMP Metadata as Resolved.Mar 17 2015, 11:33 PM

csteipp added a subtask: T88310: xml_parse doesn't expand internal entities sometimes.Mar 19 2015, 8:20 PM

csteipp added a subtask: T71210: MediaWiki is vulnerable to XML quadratic blowup attacks.Mar 19 2015, 9:17 PM

csteipp added a subtask: T85855: Custom JavaScript may yield privilege escalation.Mar 25 2015, 10:35 PM

csteipp closed subtask T71210: MediaWiki is vulnerable to XML quadratic blowup attacks as Resolved.Mar 28 2015, 5:17 AM

csteipp closed subtask T73394: XSS in language converter when used with Html class's tricky escaping as Resolved.Mar 28 2015, 5:22 AM

csteipp closed subtask T85851: Reflected XSS in api.php using wddx formatting as Resolved.Mar 28 2015, 5:27 AM

csteipp added subscribers: Grunny, ProgramCeltic.Mar 30 2015, 7:56 PM

csteipp removed subtasks: T89744: External reference in PDF, T89745: Stored XSS in PDF files.Mar 30 2015, 8:00 PM

csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:39 PM

mediawiki-i18n-1.23.9.patch.gz20 BDownload

mediawiki-i18n-1.24.2.patch.gz20 BDownload

mediawiki-i18n-1.19.24.patch.gz20 BDownload

mediawiki-1.19.24.patch.gz8 KBDownload

mediawiki-1.23.9.patch.gz20 KBDownload

mediawiki-1.24.2.patch.gz28 KBDownload

Apparently phabricator can't upload more than 10MB, so I can't post the full versions yet..

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:13 PM

csteipp changed the edit policy from "Custom Policy" to "All Users".

csteipp changed Security from Software security bug to None.

Aklapper mentioned this in T94564: Increase Phabricator max upload size.Apr 1 2015, 2:02 PM

Thanks Chris.

csteipp mentioned this in T94565: Adding users to CC on Phabricator security tasks doesn't add them to the view/edit policy.Apr 1 2015, 6:27 PM

Was the security audit published somewhere e.g. on mw.org or wikitech?

Not yet, but T85862 intends to make it public when all of the issues are resolved.

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM