FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- authenticated CSRF vulnerability

Affected packages
mediawiki < 1.15.3

Details

VuXML ID 694da5b4-5877-11df-8d80-0015587e2cc1
Discovery 2010-04-07
Entry 2010-05-05

A MediaWiki security announcement reports:

MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website.

If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.

[source]

References

CVE Name CVE-2010-1150
URL http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
URL https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.