[UNIX] Multiple Extensions Vulnerability in MediaWiki

From: SecuriTeam (support_at_securiteam.com)
Date: 12/28/04

  • Next message: SecuriTeam: "[EXPL] PHP openlog() Buffer Overflow" 
    To: list@securiteam.com
Date: 28 Dec 2004 16:42:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Extensions Vulnerability in MediaWiki
    ------------------------------------------------------------------------

    SUMMARY

     <http://wikipedia.sourceforge.net/> MediaWiki is one of famous wiki web
    applications. However, an input validation flaw in MediaWiki can cause
    malicious attackers to run arbitrary commands with the privilege of the
    HTTPD process, which is typically run as the nobody user.

    DETAILS

    Vulnerable Systems:
     * MediaWiki 1.3.8 and prior

    Immune Systems:
     * MediaWiki 1.3.9 or newer

    MediaWiki did not implement any type of check for multiple extensions of
    uploaded files, e.g. attack.php.rar. Therefore, a malicious attackers can
    upload arbitrary script files (PHP, pl, CGI, etc) to a web server and then
    execute them.

    The vulnerability originates from the feature of Apache's MIME module
    (mod_mime), which regards attack.php.rar as a normal PHP file and executes
    the file through mod_php module with the privilege of the HTTPD process.

    Disclosure Timeline:
    2004-12-10 Vulnerability found.
    2004-12-10 MediaWiki developer notified
    2004-12-13 Update version released
    2004-12-15 Official release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisory@stgsecurity.com>
    SSR Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] PHP openlog() Buffer Overflow"

    Relevant Pages