FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- two security vulnerabilities

Affected packages
mediawiki < 1.15.4

Details

VuXML ID fc55e396-6deb-11df-8b8e-000c29ba66d2
Discovery 2010-05-28
Entry 2010-06-02

Two security vulnerabilities were discovered:

Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer.

A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset reset features were not protected from CSRF. This could lead to unauthorised access to private wikis.

References

URL http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
URL http://secunia.com/advisories/39922/