Page MenuHomePhabricator
Create Task
Maniphest T47355

Read of arbitrary files through mwdoc-filter.php
Closed, ResolvedPublic
Actions

Description

The file maintenance/mwdoc-filter.php can be abused under certain server configurations to read the contents of arbitrary files.

In case you

  • you have deleted the maintenance folder or
  • you have that folder denied in the server configuration or
  • the server is processing .htaccess overrides or
  • you are using PHP 5.4.0 (or later) or
  • you have register_globals disabled

it is believed that you are not vulnerable.

Explaining the conditions above:

  • MediaWiki bundles maintenance/.htaccess with 'Deny from all'
  • register_globals was removed in PHP 5.4.0

    -If register_globals is disabled, register_argc_argv doesn't seem to make a difference.
  • If register_argc_argv is enabled, it overwrites the $argv from register globals to a single argument, so there's no $argv[1] to open... unless you use a + (no %20), so there are really two ways to exploit this, depending on register_argc_argv

Verified with PHP 5.3.2

An insecure wrapper as mentioned in http://www.php.net/archive/2012.php#id2012-05-06-1 doesn't seem to allow splitting $argv into several items.

mwdoc-filter.php is intended for usage by doxygen through the cli sapi, was added in ab59fadb https://gerrit.wikimedia.org/r/17192 and is present in 1.20 and master (git branch -a --contains ab59fadb)

Version: 1.20.x
Severity: normal

Details

Reference
bz45355

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:22 AM
bzimport added projects: MW-1.20-release, MediaWiki-Maintenance-system.
bzimport set Reference to bz45355.
bzimport added a subscriber: Unknown Object (MLST).
Platonides created this task.Feb 25 2013, 3:10 PM
Platonides added a comment.Feb 25 2013, 3:19 PM

Patchset for master on https://gerrit.wikimedia.org/r/50750
Backport for 1.20 on https://gerrit.wikimedia.org/r/50751

csteipp added a comment.Feb 25 2013, 5:27 PM

Thanks for the report and patch Platonides! This is confirmed. I think the likelihood that a configuration would be vulnerable is low, but the impact is high. We'll get this released as soon as possible.

In the future, please do post patches to the bug instead of gerrit, so we can coordinate the release, if possible.

csteipp added a comment.Mar 4 2013, 7:15 PM

Released as part of 1.20.3

csteipp added a comment.Mar 5 2013, 5:41 PM

RedHat has assigned CVE-2013-1818 for this issue.

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
csteipp added a project: Vuln-DirectObjectReference.Aug 20 2015, 10:10 PM
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:01 PM
Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 28 2016, 6:01 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL