MediaWiki 1.16.1 fixes clickjacking issue

MediaWiki released version 1.16.1 which is a security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no protection against “clickjacking”. With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki.

The fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options.

Other changes in MediaWiki 1.16.1:

  • Allow extensions to access SpecialUpload variables again
  • list=allusers was out by 1 (shows total users – 1)
  • Fixed API error when using rvprop=tags
  • For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload.
  • Correctly load JS fixes for IE6 (fixing a regression in 1.16.0)
  • Fixed paraminfo errors in certain API modules.
  • The installer now has improved handling for situations where safe_mode is active or exec() and similar functions are disabled.
  • Specifying –server in now works for all maintenance scripts.
  • $wgLicenseTerms register globals.
More about

Don't miss