MediaWiki Multiple Vulnerabilities Fixed by 1.25.3, 1.24.4 and 1.23.11
Description
(#Several vulnerabilities were reported in MediaWiki:#- CVE-2015-8002: denial of service. A remote attacker could exploit it by uploading chunks of 1 byte for very large files, in order to create a very large number of files on the server's filesystem##- CVE-2015-8001: denial of service. A remote attacker could exploit it by adding an infinite number of chunks for a single file upload, in order to create a very large number of files on the server's filesystem. The vulnerability is due to the Chunk Upload API which fails to correctly stop adding new chunks to the upload when the reported size was exceeded##- CVE-2015-8005: information disclosure. Thumbnails of PNG files generated with ImageMagick contain the local file path in the image metadata, potentially disclosing sensitive information##- CVE-2015-8004: improper access control. A remote attacker with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right could exploit it in order to undo revisions##- CVE-2015-8003: no rate limit on uploads.#Updated, 05/11/2015:#Mediawiki announces that multiple other vulnerabilities are fixed by the same versions of MediaWiki:#- CVE-2015-8006 : cross-site scripting. A remote attacker could exploit it in order to execute arbitrary JavaScript or HTML code by enticing their victim into following a specially formed link. This vulnerability is located in the way extensions handle page titles#- CVE-2015-8007 : security bypass. A remote attacker with a user account which username is banned could exploit it to display this username by using the "Thank" feature even if the administrator has activated the "isHidden" flag on the account#- CVE-2015-8008 : security bypass. A remote attacker could exploit it to connect with a blacklisted IP by using an identification token which is still valid. This vulnerability is located in the OAuth extension#- CVE-2015-8009 : security bypass. A remote attacker could exploit it to authenticate himself with another user's secrets by using a different authentication token. This vulnerability is located in the OAuth extention##Proofs of concept are available.#Updated, 06/06/2016:#The mediawiki packages provided by Debian Wheezy 7 are vulnerable.)
