CVE-2012-4381: 
Linux Debian vulnerability analysis and mitigation

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. Additionally, when an authentication plugin returns false in the strict function, remote attackers could use old passwords for non-existing accounts in an external authentication system (Debian Security, Wikimedia Bug).

The vulnerability stems from password data being always saved to the local MediaWiki database, even when authentication is handled by an external extension like LDAP. This could allow a compromised MediaWiki installation to leak information about user's LDAP passwords. The issue was discovered during internal review and affects MediaWiki versions before 1.18.5 and 1.19.x before 1.19.2 (MediaWiki Announce).

The vulnerability could allow attackers with access to a compromised MediaWiki installation to leak information about user's external authentication system passwords (like LDAP passwords). Additionally, in situations where an authentication plugin returned false in its strict function, attackers could potentially use old passwords for accounts that did not exist in the external system indefinitely (MediaWiki Announce).

The issue was fixed in MediaWiki versions 1.18.5 and 1.19.2. For affected installations, administrators were advised to purge password data from the database using the SQL command 'UPDATE user SET user_password='''. For installations with mixed authentication, administrators needed to selectively purge passwords only for external authentication users (Phabricator).