lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <e0b017b1-8a38-4ea0-1d0e-fb4f968d79a9@securify.nl> Date: Mon, 1 May 2017 17:57:05 +0200 From: "Securify B.V." <lists@...urify.nl> To: fulldisclosure@...lists.org Subject: Re: [FD] SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options MediaWiki version 1.28.2 and version 1.27.3 were release that include a fix for this issue. https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html On 29-04-17 16:41, Securify B.V. wrote: > ------------------------------------------------------------------------ > SyntaxHighlight MediaWiki extension allows injection of arbitrary > Pygments options > ------------------------------------------------------------------------ > Yorick Koster, February 2017 > > ------------------------------------------------------------------------ > Abstract > ------------------------------------------------------------------------ > A vulnerability was found in the SyntaxHighlight MediaWiki extension. > Using this vulnerability it is possible for an anonymous attacker to > pass arbitrary options to the Pygments library. By specifying specially > crafted options, it is possible for an attacker to trigger a (stored) > Cross-Site Scripting condition. In addition, it allows the creating of > arbitrary files containing user-controllable data. Depending on the > server configuration, this can be used by an anonymous attacker to > execute arbitrary PHP code. > > ------------------------------------------------------------------------ > See also > ------------------------------------------------------------------------ > - CVE-2017-0372 > - https://phabricator.wikimedia.org/T158689 > - > https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html > (fix not included in this release) > > ------------------------------------------------------------------------ > Tested versions > ------------------------------------------------------------------------ > This issue was tested on SyntaxHighlight version 2.0 as bundled with > MediaWiki version 1.28.0. > > ------------------------------------------------------------------------ > Fix > ------------------------------------------------------------------------ > This issue was supposed to be fixed in MediaWiki version 1.28.1 and > version 1.27.2. It appears that the fix was pushed to the git > repository, but for some reason it was not included in the release > packages. It is advised to apply the patch committed to Github. > > https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d > > https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f > > > ------------------------------------------------------------------------ > Details > ------------------------------------------------------------------------ > https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists