MediaWiki < 1.23.12 / 1.24.5 / 1.25.4 / 1.26.1 Multiple Vulnerabilities

The version of MediaWiki installed is 1.23.x earlier than 1.23.12, 1.24.x earlier than 1.24.5, or 1.25.x earlier than 1.25.4, or 1.26.x earlier than 1.26.1. Therefore, it is affected by multiple vulnerabilities :

• A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the ‘includes/Setup.php’ script does not ensure that the ‘wgArticlePath’ variable is set to an absolute path. This may allow a remote attacker to create a page with a specially crafted name referenced by another page, allowing the execution of arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2015-8622)
• A flaw in the ‘User::matchEditToken()’ function within ‘includes/user/User.php’ is due to the program failing to use constant-time string comparisons. This may allow a remote attacker to conduct a timing attack in order to determine tokens. (CVE-2015-8623, 2015-8624)
• A flaw exists within the ‘CurlHttpRequest::execute()’ function inside of ‘includes/HttpFunctions.php’ and the ‘MultiHttpClient::getCurlHandle()’ function inside of ‘includes/libs/MultiHttpClient.php’. The issue is triggered as the functions do not properly handle POST parameters starting with an ‘@’ character. This may allow a remote attacker to potentially disclose the contents of arbitrary files. (CVE-2015-8625)
• A flaw within the ‘passwordFactory::generateRandomPasswordString()’ function in ‘includes/password/PasswordFactory.php’ is triggered as the ‘User::randomPassword()’ method generates passwords without honoring configured policies for minimum password lengths. This may result in users having weaker passwords than intended. (CVE-2015-8626)
• A flaw exists within the ‘includes/utils/IP.php’ script that is due to the application failing to properly parse IP addresses. This may cause an administrative user to accidentally block IP addresses not intended to be blocked. (CVE-2015-8627)
• A flaw is triggered when handling a redirect from multiple pages. With a specially crafted web page, a context-dependent attacker can disclose the username for a given user. (CVE-2015-8628)