Last modified: 2012-04-12 13:55:35 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T29094, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 27094 - Language file path traversal
Language file path traversal
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Internationalization (Other open bugs)
1.16.x
All All
: Normal critical (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-01 22:13 UTC by Tim Starling
Modified: 2012-04-12 13:55 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Tim Starling 2011-02-01 22:13:29 UTC
MediaWiki developer Happy Melon discovered a path traversal vulnerability in the Language class, which allows execution of any PHP scripts which are present on the server and have the same drive letter as the MediaWiki install path, and have a filename ending in ".php". 

Because of differences in the way file_exists() is implemented across platforms, UNIX-based operating systems such as Linux and Mac OS X are not affected. Windows is known to be vulnerable. Novell Netware is untested at this time and may be affected.

The requirement that the script file ends with ".php" is a significant mitigating factor. All files that end with .php in MediaWiki are assumed to be executable from the web by malicious users, so all such files take steps to ensure that no significant action is taken merely by execution. For the same reason, we do not allow uploads of files which end in .php. Most web apps take a similar approach. 

Thus, exploitation of this vulnerability requires some other software to be present on the server, for instance:

* Some web app which allows uploads of .php files, yet to be identified.
* A special maintenance script which is known to the attacker, or which can be discovered via another vulnerability present on the server.
* Any process which places user input in C:\WINDOWS\Temp with a file name ending in .php. 

A fix will be released shortly in MediaWiki 1.16.2. If patches are available for earlier major versions, it will be noted in a comment below. 

All MediaWiki installations back to version 1.8.x should be patched or upgraded. The vulnerability arises when Language::factory() is called with unvalidated user input. The MediaWiki core has done this since 1.12.0. Vulnerable extensions were introduced even earlier.

Our fix throws an exception when Language::factory() is called with incorrect input. Extension developers should validate user input by calling the newly-introduced Language::isValidCode(), or by checking the language code against the list returned by Language::getLanguageNames(), so that they can present a more appropriate error message to the user.
Comment 1 Reed Loden 2011-02-03 16:24:49 UTC
This is CVE-2011-0537.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links