Last modified: 2010-05-15 15:48:26 UTC
first of all thanks for MediaWiki, this is great!
I've found a Full Path Disclosure vulnerability in MediaWiki 1.9.1,
Warning: main(includes/SkinTemplate.php): failed to open stream: No such
file or directory in
Fatal error: main(): Failed opening required 'includes/SkinTemplate.php'
It enables the attacker to gain knowledge about the system before
attacking it (for example, if he finds a File Include vulnerability, he
knows how many folders to go back to find /etc/passwd).
This should be an easy fix: check that each page that shouldn't be
called directly isn't called directly, for example by defining a
variable in the pages that call them, and checking in those that this
variable is defined, and if not, do nothing, or print "nothing to see
This would be great if you could fix it, as otherwise MediaWiki is
Fix committed in trunk r19681
REL1_9 : r19682
REL1_8 : r19683
REL1_6 : r19684