User:CSteipp (WMF)/SecurityRelease 1.24.1

thumb.php outputs wikitext message as raw htmlEdit

  • Bug: T76686
  • Affected Versions: ???-1.24.1 (introduced in , fixed in )
  • Type: Security Hardening
  • CVE:
  • Credit: Krinkle

Background:

Issues: The badtitletext message could allow a malicious admin to add a malicious script to mediawiki in a way that is unlikely to be noticed by other administrators.

Fix: Parse the error message instead of outputting the raw message in thumb.php

Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomainsEdit

  • Bug: T77028
  • Affected Versions: ???-1.24.1 (introduced in , fixed in )
  • Type: Improper Authorization / CWE-285
  • CVE:
  • Credit: BJorsh (WMF)

Background: Responding with valid CORS headers from another domain can be restricted to a list of domains, set in the array $wgCrossSiteAJAXdomains. The list can include wildcard domains, to include all subdomains of a single domain.

Issues: The wildcard regex to test if a domain was included on the list only checked that the string in $wgCrossSiteAJAXdomains was contained in the requesting site's name, instead of checking that the requesting site was a subdomain.

Fix: Parse the error message instead of outputting the raw message in thumb.php