4e549075ab
Two security issues were discovered: A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected. Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']. Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using. |
||
|---|---|---|
| .. | ||
| files | ||
| DESCR | ||
| distinfo | ||
| Makefile | ||
| MESSAGE | ||
| options.mk | ||
| PLIST | ||