PoC from checkpoint
This was sent to security@mediawiki.org a few days ago, and I just got it last night. This morning I got the encrypted PoC from them. Obviously this is very serious.
Shell meta characters can be passed in the page parameter to the thumb.php.
This fix is trivial, I've just tested and confirmed it fixes the issue on my local dev. I'll upload a patch to the cluster and deploy it.
Chris,
The OTRS system wouldn't let me forward this to security@wikimedia.org since that used to be an OTRS address.
Ryan // User:Rjd0060
- Forwarded message from Shahar Tal <shahartal@checkpoint.com> ---
From: Shahar Tal <shahartal@checkpoint.com>
To: "security@mediawiki.org" <security@mediawiki.org>
Cc: Netanel Rubin <netanelr@checkpoint.com>, Inbar Raz <inbarr@checkpoint.com>
Subject: Remote code execution via incorrectly sanitized parameter
Date: 2014-01-19 12:23:54
Hi, my name is Shahar Tal, I lead a security research team with Check Point's
Malware & Security Research group.I am writing this to inform you of a critical RCE vulnerability that was
identified in core MediaWiki by Netanel Rubin - a researcher in my team.The vulnerability enables unrestricted command injection via an incorrectly
sanitized parameter.
We have verified this vulnerability exists with default installations as long as a
certain (not uncommon) setting is enabled, as is on wikimedia.org (see attached
screenshot for verification).Note that it is our policy to follow responsible disclosure etiquette, and while
we do eventually intend to make the vulnerability details public - we strongly
prefer it would be done in full coordination and only after a fix has been made
available.We would like to submit the details privately to the responsible parties, as well
as suggest a fix, please contact me for further coordination.Regards,
Shahar TalAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Check Point Software Technologies | * +972-77-775-8352 | M +972-545-888887 | *
shahartal@checkpoint.com<mailto:shahartal@checkpoint.com>
- End forwarded message ---
Version: unspecified
Severity: critical
attachment mediawiki-rce-19-01-2014.pdf ignored as private