Bug 131233 (CVE-2005-3167)

Summary: VUL-0: CVE-2005-3167: mediawiki XSS
Product: [Novell Products] SUSE Security Incidents Reporter: Christoph Thiel <cthiel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-3167: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Christoph Thiel 2005-10-28 09:54:36 UTC 
Looks like our current mediawiki on 10.0 is affected by this (I didn't check older distros, but they might be affected as well):

http://sourceforge.net/project/shownotes.php?release_id=361505

== MediaWiki 1.4.11 ==

(released 2005-10-05)

MediaWiki 1.4.11 is a security maintenance release. Unsafe handling of CSS
by Microsoft Internet Explorer could be exploited to produce cross-site
scripting attacks by JavaScript injection to clients running that browser.

This release blacklists several additional variants from use in HTML inline
style attributes.

All publicly accessible wikis are recommended to upgrade to reduce the risk
to visitors using Microsoft web browsers.

Note: the MediaWiki 1.4.x series is not compatible with PHP 5.0.5 or higher.
Upgrade to the 1.5.0 release if you require this version of PHP 5.
Comment 1 Anna Maresova 2005-11-04 08:25:47 UTC 
Fixes for released products submitted. I just took it from upstream, I cannot test it because I do not have IE.

Fix for stable will come soon with upgrade to 1.5.2 but I must consult it with former maintainer.
Comment 2 Ludwig Nussel 2005-11-07 12:04:49 UTC 
CVE-2005-3167
Maintenance-Tracker-2753
Comment 3 Ludwig Nussel 2005-11-16 15:23:48 UTC 
updates released
Comment 4 Thomas Biege 2009-10-13 21:45:52 UTC 
CVE-2005-3167: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)