CVE-2005-0534
CVSS4.3
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:20:12
NMCOPS    

[原文]Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script.


[CNNVD]MediaWiki多个未明远程漏洞(CNNVD-200505-007)

        MediaWiki 1.3.11之前的1.3.x版本以及1.4 rc1之前的1.4 beta版本存在多个跨站脚本(XSS)漏洞,允许远程攻击者注入任意的Web脚本。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mediawiki:mediawiki:1.3.3MediaWiki 1.3.3
cpe:/a:mediawiki:mediawiki:1.4_beta5
cpe:/a:mediawiki:mediawiki:1.3.2MediaWiki 1.3.2
cpe:/a:mediawiki:mediawiki:1.4_beta6
cpe:/a:mediawiki:mediawiki:1.3.7MediaWiki 1.3.7
cpe:/a:mediawiki:mediawiki:1.3.0MediaWiki 1.3.0
cpe:/a:mediawiki:mediawiki:1.4_beta4
cpe:/a:mediawiki:mediawiki:1.3.10MediaWiki 1.3.10
cpe:/a:mediawiki:mediawiki:1.3.8MediaWiki 1.3.8
cpe:/a:mediawiki:mediawiki:1.3.6MediaWiki 1.3.6
cpe:/a:mediawiki:mediawiki:1.4_beta3
cpe:/a:mediawiki:mediawiki:1.3.1MediaWiki 1.3.1
cpe:/a:mediawiki:mediawiki:1.3.5MediaWiki 1.3.5
cpe:/a:mediawiki:mediawiki:1.4_beta2
cpe:/a:mediawiki:mediawiki:1.3.9MediaWiki 1.3.9
cpe:/a:mediawiki:mediawiki:1.3.4MediaWiki 1.3.4
cpe:/a:mediawiki:mediawiki:1.4_beta1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0534
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0534
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-007
(官方数据源) CNNVD

- 其它链接及资源

http://sourceforge.net/project/shownotes.php?release_id=307067
(PATCH)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=307067
http://securitytracker.com/id?1013260
(VENDOR_ADVISORY)  SECTRACK  1013260
http://secunia.com/advisories/14360
(VENDOR_ADVISORY)  SECUNIA  14360
http://www.gentoo.org/security/en/glsa/glsa-200502-33.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200502-33

- 漏洞信息

MediaWiki多个未明远程漏洞
中危 跨站脚本
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        MediaWiki 1.3.11之前的1.3.x版本以及1.4 rc1之前的1.4 beta版本存在多个跨站脚本(XSS)漏洞,允许远程攻击者注入任意的Web脚本。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.11.tar.gz?download

- 漏洞信息 (F36406)

Gentoo Linux Security Advisory 200502-33 (PacketStormID:F36406)
2005-03-03 00:00:00
Gentoo  security.gentoo.org
advisory,xss,csrf
linux,gentoo
CVE-2005-0534,CVE-2005-0535,CVE-2005-0536
[点击下载]

Gentoo Linux Security Advisory GLSA 200502-33 - A security audit of the MediaWiki project discovered that MediaWiki is vulnerable to several cross-site scripting and cross-site request forgery attacks, and that the image deletion code does not sufficiently sanitize input parameters. Versions less than 1.3.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: MediaWiki: Multiple vulnerabilities
      Date: February 28, 2005
      Bugs: #80729, #82954
        ID: 200502-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

MediaWiki is vulnerable to cross-site scripting, data manipulation and
security bypass attacks.

Background
==========

MediaWiki is a collaborative editing software, used by big projects
like Wikipedia.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  www-apps/mediawiki      < 1.3.11                        >= 1.3.11

Description
===========

A security audit of the MediaWiki project discovered that MediaWiki is
vulnerable to several cross-site scripting and cross-site request
forgery attacks, and that the image deletion code does not sufficiently
sanitize input parameters.

Impact
======

By tricking a user to load a carefully crafted URL, a remote attacker
could hijack sessions and authentication cookies to inject malicious
script code that will be executed in a user's browser session in
context of the vulnerable site, or use JavaScript submitted forms to
perform restricted actions. Using the image deletion flaw, it is also
possible for authenticated administrators to delete arbitrary files via
directory traversal.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MediaWiki users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.3.11"

References
==========

  [ 1 ] Secunia Advisory SA14125
        http://secunia.com/advisories/14125/
  [ 2 ] CAN-2005-0534
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0534
  [ 3 ] CAN-2005-0535
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0535
  [ 4 ] CAN-2005-0536
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0536

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-33.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息

14048
MediaWiki Media Links XSS
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.3.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MediaWiki Multiple Unspecified Remote Vulnerabilities
Unknown 12625
Yes No
2005-02-22 12:00:00 2009-07-12 10:56:00
These issues were announced by the vendor.

- 受影响的程序版本

MediaWiki MediaWiki 1.3.10
MediaWiki MediaWiki 1.3.9
MediaWiki MediaWiki 1.3.8
MediaWiki MediaWiki 1.3.7
MediaWiki MediaWiki 1.3.6
MediaWiki MediaWiki 1.3.5
MediaWiki MediaWiki 1.3.4
MediaWiki MediaWiki 1.3.3
MediaWiki MediaWiki 1.3.2
MediaWiki MediaWiki 1.3.1
MediaWiki MediaWiki 1.3
Gentoo Linux
MediaWiki MediaWiki 1.3.11
+ Gentoo Linux

- 不受影响的程序版本

MediaWiki MediaWiki 1.3.11
+ Gentoo Linux

- 漏洞讨论

MediaWiki is reported prone to multiple remote vulnerabilities. The following individual issues are reported:

An unspecified cross-site scripting vulnerability is reported to affect MediaWiki.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user.

An unspecified directory traversal vulnerability is reported to affect MediaWiki. The issue is reported to exist in the site administration image deletion functionality.

A privileged remote attacker may exploit this vulnerability to deny service for legitimate users.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has released MediaWiki version 1.3.11 to address these vulnerabilities.

Gentoo Linux has released an advisory (GLSA 200502-33) dealing with this issue. Gentoo advises that all MediaWiki users should upgrade to the latest available version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.3.11"

For more information please see the referenced Gentoo linux advisory.


MediaWiki MediaWiki 1.3

MediaWiki MediaWiki 1.3.1

MediaWiki MediaWiki 1.3.10

MediaWiki MediaWiki 1.3.2

MediaWiki MediaWiki 1.3.3

MediaWiki MediaWiki 1.3.4

MediaWiki MediaWiki 1.3.5

MediaWiki MediaWiki 1.3.6

MediaWiki MediaWiki 1.3.7

MediaWiki MediaWiki 1.3.8

MediaWiki MediaWiki 1.3.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站