lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 1 May 2017 17:57:05 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: Re: [FD] SyntaxHighlight MediaWiki extension allows injection of
 arbitrary Pygments options

MediaWiki version 1.28.2 and version 1.27.3 were release that include a 
fix for this issue.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html


On 29-04-17 16:41, Securify B.V. wrote:
> ------------------------------------------------------------------------
> SyntaxHighlight MediaWiki extension allows injection of arbitrary
> Pygments options
> ------------------------------------------------------------------------
> Yorick Koster, February 2017
>
> ------------------------------------------------------------------------
> Abstract
> ------------------------------------------------------------------------
> A vulnerability was found in the SyntaxHighlight MediaWiki extension.
> Using this vulnerability it is possible for an anonymous attacker to
> pass arbitrary options to the Pygments library. By specifying specially
> crafted options, it is possible for an attacker to trigger a (stored)
> Cross-Site Scripting condition. In addition, it allows the creating of
> arbitrary files containing user-controllable data. Depending on the
> server configuration, this can be used by an anonymous attacker to
> execute arbitrary PHP code.
>
> ------------------------------------------------------------------------
> See also
> ------------------------------------------------------------------------
> - CVE-2017-0372
> - https://phabricator.wikimedia.org/T158689
> - 
> https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html 
> (fix not included in this release)
>
> ------------------------------------------------------------------------
> Tested versions
> ------------------------------------------------------------------------
> This issue was tested on SyntaxHighlight version 2.0 as bundled with
> MediaWiki version 1.28.0.
>
> ------------------------------------------------------------------------
> Fix
> ------------------------------------------------------------------------
> This issue was supposed to be fixed in MediaWiki version 1.28.1 and
> version 1.27.2. It appears that the fix was pushed to the git
> repository, but for some reason it was not included in the release
> packages. It is advised to apply the patch committed to Github.
>
> https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d 
>
> https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f 
>
>
> ------------------------------------------------------------------------
> Details
> ------------------------------------------------------------------------
> https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html 
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists