Mailinglist Archive: opensuse (982 mails)

< Previous Next >
Re: [opensuse] MediaWiki exploit - check your site...
On 21/09/14 18:20, David C. Rankin wrote:

I was hit by a mediawiki exploit that past week that affected versions at least up to and including 122.2. I am still working to determine the exact exploit used or whether this may be a new one. From what I can gather, either by cross-site-scripting (XSS) or cross-site request forgery (CSRF) an exploit existed that allowed an attacker to bypass the normal page/user creation protections, captcha and response e-mail to generate an account and gain privileges to use wiki mail for outbound spam. The postfix smtp sender/client restrictions were defeated by sending outbound as a valid system user using the UID of the web-user (e.g. http, www, etc.).

This attack is automated and will generate thousands of users/pages and outbound mails in a relatively short amount of time. Since the inbound connection is via http (instead of say a login attempt via ssh), the normal anvil/fail2ban restrictions are not implicated. After reviewing the listed CVE's at:

I'm not sure this exploit is among those listed. Mediawiki seems to be the only web-application affected by this exploit.

So, if you run mediawiki, update to the latest 1.23.3 and check your logs often. If you are hit and need to get rid of 10,000 additions to your server, drop a reply. Direct deletion/truncation from the mysql tables themselves are easiest way to recover.

Isn't mediawiki part of the LibreOffice suite?

I just happen to download LO v4.3.1 and before installing it had to delete v4.3.0 and while doing so saw mediawiki flash by as it was being deleted.


Using openSUSE 13.1, KDE 4.14.1 & kernel 3.16.3-1 on a system with-
AMD FX 8-core 3.6/4.2GHz processor
16GB PC14900/1866MHz Quad Channel RAM
Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >