On 18 Dec 2014, at 09:01, Brian Wolff wrote:
> I don't disagree that its a bug, but in order to exploit user would have to:
> *Convince user to go rather obscure thumb.php page
> *already have the ability to add javascript to any page on wiki
>
> In which case, why wouldn't evil malicious user j
>>
>
> Not entirely. Unlike message "copyright", the message used on thumb.php
> ("badtitletext") is not a "raw html" message. It is meant to be parsed and
> displayed regularly. And always was. Except it was re-used for thumb.php,
> and
> forgotten to be parsed there. I won't go into details, but
On 18 Dec 2014, at 06:44, Brian Wolff wrote:
>>
>> == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
>> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
>> which could lead to xss. Permission to edit MediaWiki namespace is
>> required
>> to exploit this.
>
>
On Thu, 18 Dec 2014 07:44:59 +0100, Brian Wolff wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw
HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to exploit this.
Rea
>
> == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
> which could lead to xss. Permission to edit MediaWiki namespace is
> required
> to exploit this.
Really? That's stretching the definition of a security
Hello everyone,
I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and
1.19.23. This is a regular security and maintenance release. Download links are
given at the end of this email. Please note this release marks the end of
lifetime for MediaWiki 1.22 branch.
== Securit