Mailinglist Archive: opensuse (982 mails)

< Previous Next >
[opensuse] MediaWiki exploit - check your site...
All,

I was hit by a mediawiki exploit that past week that affected versions at least up to and including 122.2. I am still working to determine the exact exploit used or whether this may be a new one. From what I can gather, either by cross-site-scripting (XSS) or cross-site request forgery (CSRF) an exploit existed that allowed an attacker to bypass the normal page/user creation protections, captcha and response e-mail to generate an account and gain privileges to use wiki mail for outbound spam. The postfix smtp sender/client restrictions were defeated by sending outbound as a valid system user using the UID of the web-user (e.g. http, www, etc.).

This attack is automated and will generate thousands of users/pages and outbound mails in a relatively short amount of time. Since the inbound connection is via http (instead of say a login attempt via ssh), the normal anvil/fail2ban restrictions are not implicated. After reviewing the listed CVE's at:

http://www.cvedetails.com/product/4125/Mediawiki-Mediawiki.html?vendor_id=2360

I'm not sure this exploit is among those listed. Mediawiki seems to be the only web-application affected by this exploit.

So, if you run mediawiki, update to the latest 1.23.3 and check your logs often. If you are hit and need to get rid of 10,000 additions to your server, drop a reply. Direct deletion/truncation from the mysql tables themselves are easiest way to recover.

--
David C. Rankin, J.D.,P.E.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups