User:CSteipp (WMF)/SecurityRelease 1.24.1
 | This page is currently a draft.
|
thumb.php outputs wikitext message as raw html
edit- Bug: T76686
- Affected Versions: ???-1.24.1 (introduced in , fixed in )
- Type: Security Hardening
- CVE:
- Credit: Krinkle
Background:
Issues: The badtitletext message could allow a malicious admin to add a malicious script to mediawiki in a way that is unlikely to be noticed by other administrators.
Fix: Parse the error message instead of outputting the raw message in thumb.php
Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains
edit- Bug: T77028
- Affected Versions: ???-1.24.1 (introduced in , fixed in )
- Type: Improper Authorization / CWE-285
- CVE:
- Credit: BJorsh (WMF)
Background: Responding with valid CORS headers from another domain can be restricted to a list of domains, set in the array $wgCrossSiteAJAXdomains. The list can include wildcard domains, to include all subdomains of a single domain.
Issues: The wildcard regex to test if a domain was included on the list only checked that the string in $wgCrossSiteAJAXdomains was contained in the requesting site's name, instead of checking that the requesting site was a subdomain.
Fix: Parse the error message instead of outputting the raw message in thumb.php