[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e0b017b1-8a38-4ea0-1d0e-fb4f968d79a9@securify.nl>
Date: Mon, 1 May 2017 17:57:05 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: Re: [FD] SyntaxHighlight MediaWiki extension allows injection of
arbitrary Pygments options
MediaWiki version 1.28.2 and version 1.27.3 were release that include a
fix for this issue.
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html
On 29-04-17 16:41, Securify B.V. wrote:
> ------------------------------------------------------------------------
> SyntaxHighlight MediaWiki extension allows injection of arbitrary
> Pygments options
> ------------------------------------------------------------------------
> Yorick Koster, February 2017
>
> ------------------------------------------------------------------------
> Abstract
> ------------------------------------------------------------------------
> A vulnerability was found in the SyntaxHighlight MediaWiki extension.
> Using this vulnerability it is possible for an anonymous attacker to
> pass arbitrary options to the Pygments library. By specifying specially
> crafted options, it is possible for an attacker to trigger a (stored)
> Cross-Site Scripting condition. In addition, it allows the creating of
> arbitrary files containing user-controllable data. Depending on the
> server configuration, this can be used by an anonymous attacker to
> execute arbitrary PHP code.
>
> ------------------------------------------------------------------------
> See also
> ------------------------------------------------------------------------
> - CVE-2017-0372
> - https://phabricator.wikimedia.org/T158689
> -
> https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
> (fix not included in this release)
>
> ------------------------------------------------------------------------
> Tested versions
> ------------------------------------------------------------------------
> This issue was tested on SyntaxHighlight version 2.0 as bundled with
> MediaWiki version 1.28.0.
>
> ------------------------------------------------------------------------
> Fix
> ------------------------------------------------------------------------
> This issue was supposed to be fixed in MediaWiki version 1.28.1 and
> version 1.27.2. It appears that the fix was pushed to the git
> repository, but for some reason it was not included in the release
> packages. It is advised to apply the patch committed to Github.
>
> https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d
>
> https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f
>
>
> ------------------------------------------------------------------------
> Details
> ------------------------------------------------------------------------
> https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists