Page MenuHomePhabricator

Full Path Disclosure vulnerability in MediaWiki 1.9.1
Closed, ResolvedPublic

Description

Author: raphael.huck

Description:
Hi,

first of all thanks for MediaWiki, this is great!

I've found a Full Path Disclosure vulnerability in MediaWiki 1.9.1,
which affects:

wiki/skins/Simple.deps.php
wiki/skins/MonoBook.deps.php
wiki/skins/MySkin.deps.php
wiki/skins/Chick.deps.php

example:

http://openclipart.org/wiki/skins/Simple.deps.php

Warning: main(includes/SkinTemplate.php): failed to open stream: No such
file or directory in
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on
line 8

Fatal error: main(): Failed opening required 'includes/SkinTemplate.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/srv/clipart.freedesktop.org/clipart_web/wiki/skins/Simple.deps.php on
line 8

It enables the attacker to gain knowledge about the system before
attacking it (for example, if he finds a File Include vulnerability, he
knows how many folders to go back to find /etc/passwd).

This should be an easy fix: check that each page that shouldn't be
called directly isn't called directly, for example by defining a
variable in the pages that call them, and checking in those that this
variable is defined, and if not, do nothing, or print "nothing to see
here..."

This would be great if you could fix it, as otherwise MediaWiki is
perfect ;)

--Raphaël HUCK


Version: 1.9.x
Severity: normal
OS: Windows XP
Platform: PC
URL: http:http://openclipart.org/wiki/skins/Simple.deps.php
CVE: CVE-2007-0894

Details

Reference
bz8819

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:35 PM
bzimport set Reference to bz8819.
bzimport added a subscriber: Unknown Object (MLST).

Fix committed in trunk r19681

Back ports:
REL1_9 : r19682
REL1_8 : r19683
REL1_6 : r19684