[Scummvm-devel] wiki update

Thierry Crozat criezy at scummvm.org
Wed Apr 7 20:44:56 CEST 2010


Hi (again),

A security fix for MediaWiki was released today. Our wiki is not too  
vulnerable to the security hole (as user scripting is disabled), but  
I will update it nonetheless. The update will happen tomorrow evening  
at 9pm GMT, unless one of you ask me to postponed it. It should not  
last more than 10 minutes, during which the wiki will be locked to be  
read only.

For your information, the announcement message is the following:
MediaWiki was found to be vulnerable to login CSRF. An attacker who  
controls a user account on the target wiki can force the victim to  
log in as the attacker, via a script on an external website. If the  
wiki is configured to allow user scripts, say with "$wgAllowUserJs =  
true" in LocalSettings.php, then the attacker can proceed to mount a  
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and  
so all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any  
clients using it will need to be updated. We apologise for making  
such a disruptive change in a minor release, but we feel that  
security is paramount.

Thierry





More information about the Scummvm-devel mailing list