Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763
Summary: CVE-2007-0894: mediawiki full path disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: mediawiki AssignedTo: Axel.Thimm@ATrpms.net ReportedBy: ville.skytta@iki.fi QAContact: extras-qa@fedoraproject.org CC: fedora-security- list@redhat.com,fedora@theholbrooks.org,roozbeh@farsiweb .info
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0894
"MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message."
1.8.3 (current FE6) in the CVE entry is not listed as vulnerable, don't know if the omission is intentional. And whether installation path disclosure is an issue with Fedora packages can also be debated, reporting here just in case there's more to it.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-0894: mediawiki full path disclosure
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763
Axel.Thimm@ATrpms.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
------- Additional Comments From Axel.Thimm@ATrpms.net 2007-02-14 16:45 EST ------- Thanks for the heads-up (1.8.3 should be vulerable as well, it was probably forgotten in the list of vulnerable versions).
Indeed for the package we aren't losing any more information than the attacker would already know (unless he doesn't even know he's attacking a Fedora server). For F7 upwards (and most possibly backporting to FC6/FC5) the code and data are being separated (code moves to %{_datadir}), so there won't be any direct requests possible at all. But this still needs some testing in F7/devel.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-0894: mediawiki full path disclosure
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763
------- Additional Comments From Axel.Thimm@ATrpms.net 2007-02-22 06:50 EST ------- There is an update of mediawiki which among other fixes this.
FC-5 and FC-6 will be updated to 1.8.4. F7 will be updated to 1.9.3.
I'll close this bug once the packages make it to the master repo.
Thanks!
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-0894: mediawiki full path disclosure
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763
Axel.Thimm@ATrpms.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |1.8.4-8
security@lists.fedoraproject.org