Last modified: 2010-05-15 15:48:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 8819 - Full Path Disclosure vulnerability in MediaWiki 1.9.1
Full Path Disclosure vulnerability in MediaWiki 1.9.1
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
1.9.x
PC Windows XP
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
http:http://openclipart.org/wiki/skin...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-29 07:17 UTC by Raphael HUCK
Modified: 2010-05-15 15:48 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Raphael HUCK 2007-01-29 07:17:23 UTC
Hi,

first of all thanks for MediaWiki, this is great!

I've found a Full Path Disclosure vulnerability in MediaWiki 1.9.1, 
which affects:

wiki/skins/Simple.deps.php
wiki/skins/MonoBook.deps.php
wiki/skins/MySkin.deps.php
wiki/skins/Chick.deps.php


example:

http://openclipart.org/wiki/skins/Simple.deps.php


Warning: main(includes/SkinTemplate.php): failed to open stream: No such 
file or directory in 
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on 
line 8

Fatal error: main(): Failed opening required 'includes/SkinTemplate.php' 
(include_path='.:/usr/share/php:/usr/share/pear') in 
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on 
line 8


It enables the attacker to gain knowledge about the system before 
attacking it (for example, if he finds a File Include vulnerability, he 
knows how many folders to go back to find /etc/passwd).

This should be an easy fix: check that each page that shouldn't be 
called directly isn't called directly, for example by defining a 
variable in the pages that call them, and checking in those that this 
variable is defined, and if not, do nothing, or print "nothing to see 
here..."


This would be great if you could fix it, as otherwise MediaWiki is 
perfect ;)

--Raphaël HUCK
Comment 1 Antoine "hashar" Musso (WMF) 2007-01-29 21:27:13 UTC
Fix committed in trunk r19681

Back ports:
REL1_9 : r19682
REL1_8 : r19683
REL1_6 : r19684

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links