Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE-2019-19650: Release Notes - New features

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

**

Possible to circumvent title-blacklist (CVE-2019-19709)



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

Yes, that's indeed the case. TitleBlacklist thinks the page being created is "w:Google.123.html", which doesn't match the specific rule in question. Rules beginning with .\*, like most on the current blacklist, do not seem able to be bypassed in this manner since the .\* will match the spurious interwiki prefix.

Comment Actions

@sbassett: I'm backporting the fix for this to Wikimedia sites now. I'll leave it to your team to backport the fix to 1.34 and earlier, if you feel that would be desirable.

Comment Actions

@Anomie - sounds good, I can try to pick 554084 to each supported release branch and see how it goes. I might solicit some help if those are more complicated than what gerrit can handle. I'm going to make this task public now since the code is on master, wmf.5 and wmf.8 and has been deployed. This probably warrants a CVE as well.

Comment Actions

**Update:** Picked to supported release branches and the bot updates are on the other bug (T239428). There was a minor conflict in includes/api/ApiEditPage.php for each of these, so I kept the old conditional instead of the newer ternary operator statement for now. Patches tested fine, they just need a +2, which I'll do if nobody else does.

This was kind of a strange one in that it was technically a security issue that was incidentally fixed by a well-timed, separate public task/patch. @Reedy is tracking it for the next release in T233495, but it wasn't "held" due to the aforementioned process oddities. I'll still request a CVE and update this bug once I have it.

sbassett renamed this task from Possible to circumvent title-blacklist to Possible to circumvent title-blacklist (CVE-2019-19709).Dec 11 2019, 3:06 PM

Comment Actions

At a quick glance, I don't see any indication that the bug has ever not existed since the redirect parameter was added in MW 1.17. But I haven't actually tested.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2019-19709: ⚓ T239466 Possible to circumvent title-blacklist (CVE-2019-19709)

Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page.

CVE-2019-13743

Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2019-13739

Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page.

CVE-2019-13738

Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2019-13737

Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-13742

Insufficient policy enforcement in payments in Google Chrome prior to 79.0.3945.79 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2019-13763

Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2019-13761

Insufficient policy enforcement in downloads in Google Chrome on Windows prior to 79.0.3945.79 allowed a local attacker to spoof downloaded files via local code.

Tag

#google