Last modified: 2010-05-15 15:48:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 8819 - Full Path Disclosure vulnerability in MediaWiki 1.9.1
Full Path Disclosure vulnerability in MediaWiki 1.9.1
Product: MediaWiki
Classification: Unclassified
Templates (Other open bugs)
PC Windows XP
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-01-29 07:17 UTC by Raphael HUCK
Modified: 2010-05-15 15:48 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Raphael HUCK 2007-01-29 07:17:23 UTC

first of all thanks for MediaWiki, this is great!

I've found a Full Path Disclosure vulnerability in MediaWiki 1.9.1, 
which affects:



Warning: main(includes/SkinTemplate.php): failed to open stream: No such 
file or directory in 
/srv/ on 
line 8

Fatal error: main(): Failed opening required 'includes/SkinTemplate.php' 
(include_path='.:/usr/share/php:/usr/share/pear') in 
/srv/ on 
line 8

It enables the attacker to gain knowledge about the system before 
attacking it (for example, if he finds a File Include vulnerability, he 
knows how many folders to go back to find /etc/passwd).

This should be an easy fix: check that each page that shouldn't be 
called directly isn't called directly, for example by defining a 
variable in the pages that call them, and checking in those that this 
variable is defined, and if not, do nothing, or print "nothing to see 

This would be great if you could fix it, as otherwise MediaWiki is 
perfect ;)

--Raphaël HUCK
Comment 1 Antoine "hashar" Musso (WMF) 2007-01-29 21:27:13 UTC
Fix committed in trunk r19681

Back ports:
REL1_9 : r19682
REL1_8 : r19683
REL1_6 : r19684

Note You need to log in before you can comment on or make changes to this bug.