MediaWiki 1.16.1 fixes clickjacking issue

MediaWiki released version 1.16.1 which is a security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no protection against “clickjacking”. With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki.

The fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options.

Other changes in MediaWiki 1.16.1:

• Allow extensions to access SpecialUpload variables again
• list=allusers was out by 1 (shows total users – 1)
• Fixed API error when using rvprop=tags
• For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload.
• Correctly load JS fixes for IE6 (fixing a regression in 1.16.0)
• Fixed paraminfo errors in certain API modules.
• The installer now has improved handling for situations where safe_mode is active or exec() and similar functions are disabled.
• Specifying –server in now works for all maintenance scripts.
• $wgLicenseTerms register globals.