[Scummvm-devel] wiki update
Thierry Crozat
criezy at scummvm.org
Wed Apr 7 20:44:56 CEST 2010
Hi (again),
A security fix for MediaWiki was released today. Our wiki is not too
vulnerable to the security hole (as user scripting is disabled), but
I will update it nonetheless. The update will happen tomorrow evening
at 9pm GMT, unless one of you ask me to postponed it. It should not
last more than 10 minutes, during which the wiki will be locked to be
read only.
For your information, the announcement message is the following:
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to
log in as the attacker, via a script on an external website. If the
wiki is configured to allow user scripts, say with "$wgAllowUserJs =
true" in LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and
so all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any
clients using it will need to be updated. We apologise for making
such a disruptive change in a minor release, but we feel that
security is paramount.
Thierry
More information about the Scummvm-devel
mailing list