what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2015-185

Mandriva Linux Security Advisory 2015-185
Posted Mar 31, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-185 - Updated dokuwiki packages fix multiple security vulnerabilities.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2014-8761, CVE-2014-8762, CVE-2014-8763, CVE-2014-8764, CVE-2014-9253, CVE-2015-2172
SHA-256 | eddb2448ff8196264864f1a3f612e50f96588209ca6ced1be1973173caa3de41

Mandriva Linux Security Advisory 2015-185

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:185
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : dokuwiki
Date : March 31, 2015
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated dokuwiki packages fix security vulnerabilities:

inc/template.php in DokuWiki before 2014-05-05a only checks for
access to the root namespace, which allows remote attackers to access
arbitrary images via a media file details ajax call (CVE-2014-8761).

The ajax_mediadiff function in DokuWiki before 2014-05-05a allows
remote attackers to access arbitrary images via a crafted namespace
in the ns parameter (CVE-2014-8762).

DokuWiki before 2014-05-05b, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via
a password starting with a null (\0) character and a valid user name,
which triggers an unauthenticated bind (CVE-2014-8763).

DokuWiki 2014-05-05a and earlier, when using Active Directory for
LDAP authentication, allows remote attackers to bypass authentication
via a user name and password starting with a null (\0) character,
which triggers an anonymous bind (CVE-2014-8764).

dokuwiki-2014-09-29a allows swf (application/x-shockwave-flash)
uploads by default. This may be used for Cross-site scripting (XSS)
attack which enables attackers to inject client-side script into Web
pages viewed by other users. (CVE-2014-9253).

The dokuwiki-2014-09-29b hotfix source disables swf uploads by default
and fixes the CVE-2014-9253 issue.

DokuWiki before 20140929c has a security issue in the ACL plugins
remote API component. The plugin failed to check for superuser
permissions before executing ACL addition or deletion. This means
everybody with permissions to call the XMLRPC API also had permissions
to set up their own ACL rules and thus circumventing any existing rules
(CVE-2015-2172).

DokuWiki before 20140929d is vulnerable to a cross-site scripting
(XSS) issue in the user manager. The user's details were not properly
escaped in the user manager's edit form. This allows a registered user
to edit her own name (using the change profile option) to include
malicious JavaScript code. The code is executed when a super user
tries to edit the user via the user manager.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2172
http://advisories.mageia.org/MGASA-2014-0438.html
http://advisories.mageia.org/MGASA-2014-0540.html
http://advisories.mageia.org/MGASA-2015-0093.html
http://advisories.mageia.org/MGASA-2015-0118.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
a5f686823559e7dd1a39942e94f72a33 mbs1/x86_64/dokuwiki-20140929-1.4.mbs1.noarch.rpm
b38f45a6dc38c67d534d52db2c84b919 mbs1/SRPMS/dokuwiki-20140929-1.4.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGmTimqjQ0CJFipgRAka7AKDNhVCVHbKzCkQ7hK+ho98oGr+7zgCdF9yd
0zXiuJ/6Q3A/o5IXUWq6SAk=
=DEys
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close