Last modified: 2010-05-15 15:48:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T10819, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 8819 - Full Path Disclosure vulnerability in MediaWiki 1.9.1
Full Path Disclosure vulnerability in MediaWiki 1.9.1
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
1.9.x
PC Windows XP
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
http:http://openclipart.org/wiki/skin...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-29 07:17 UTC by Raphael HUCK
Modified: 2010-05-15 15:48 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Raphael HUCK 2007-01-29 07:17:23 UTC
Hi,

first of all thanks for MediaWiki, this is great!

I've found a Full Path Disclosure vulnerability in MediaWiki 1.9.1, 
which affects:

wiki/skins/Simple.deps.php
wiki/skins/MonoBook.deps.php
wiki/skins/MySkin.deps.php
wiki/skins/Chick.deps.php


example:

http://openclipart.org/wiki/skins/Simple.deps.php


Warning: main(includes/SkinTemplate.php): failed to open stream: No such 
file or directory in 
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on 
line 8

Fatal error: main(): Failed opening required 'includes/SkinTemplate.php' 
(include_path='.:/usr/share/php:/usr/share/pear') in 
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on 
line 8


It enables the attacker to gain knowledge about the system before 
attacking it (for example, if he finds a File Include vulnerability, he 
knows how many folders to go back to find /etc/passwd).

This should be an easy fix: check that each page that shouldn't be 
called directly isn't called directly, for example by defining a 
variable in the pages that call them, and checking in those that this 
variable is defined, and if not, do nothing, or print "nothing to see 
here..."


This would be great if you could fix it, as otherwise MediaWiki is 
perfect ;)

--Raphaël HUCK
Comment 1 Antoine "hashar" Musso (WMF) 2007-01-29 21:27:13 UTC
Fix committed in trunk r19681

Back ports:
REL1_9 : r19682
REL1_8 : r19683
REL1_6 : r19684

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links