|
|
|
 |
Vulnerability Note VU#392156MediaWiki fails to properly verify input passed to the user language optionOverviewA vulnerability in some versions of MediaWiki may allow a remote attacker to execute code on a vulnerable wiki server.I. DescriptionMediaWiki is a PHP-based software package that is used to run a wiki, a collaborative website that can be edited by any user or visitor. Some versions of the MediaWiki software contain an error in the validation of the user language option. This error results in a vulnerability since this parameter is supplied by a remote user and is used in forming a class name dynamically created with the PHP eval() function.II. ImpactA remote attacker may be able to execute PHP code of their choosing on a vulnerable server. The attacker-supplied code would be executed in the context of the web serverIII. SolutionUpgradeVersion 1.5.3 of the MediaWiki software contains a fix for this issue. Users of older 1.5.x versions of the software are encouraged to upgrade to this fixed version. Versions 1.4 and earlier of the software are reportedly not affected by this issue.
References
Thanks to the MediaWiki project for reporting this vulnerability. This document was written by Chad R Dougherty based on information provided by the MediaWiki project.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||
Get Adobe Reader