Page MenuHomePhabricator

Language file path traversal
Closed, ResolvedPublic


MediaWiki developer Happy Melon discovered a path traversal vulnerability in the Language class, which allows execution of any PHP scripts which are present on the server and have the same drive letter as the MediaWiki install path, and have a filename ending in ".php".

Because of differences in the way file_exists() is implemented across platforms, UNIX-based operating systems such as Linux and Mac OS X are not affected. Windows is known to be vulnerable. Novell Netware is untested at this time and may be affected.

The requirement that the script file ends with ".php" is a significant mitigating factor. All files that end with .php in MediaWiki are assumed to be executable from the web by malicious users, so all such files take steps to ensure that no significant action is taken merely by execution. For the same reason, we do not allow uploads of files which end in .php. Most web apps take a similar approach.

Thus, exploitation of this vulnerability requires some other software to be present on the server, for instance:

  • Some web app which allows uploads of .php files, yet to be identified.
  • A special maintenance script which is known to the attacker, or which can be discovered via another vulnerability present on the server.
  • Any process which places user input in C:\WINDOWS\Temp with a file name ending in .php.

A fix will be released shortly in MediaWiki 1.16.2. If patches are available for earlier major versions, it will be noted in a comment below.

All MediaWiki installations back to version 1.8.x should be patched or upgraded. The vulnerability arises when Language::factory() is called with unvalidated user input. The MediaWiki core has done this since 1.12.0. Vulnerable extensions were introduced even earlier.

Our fix throws an exception when Language::factory() is called with incorrect input. Extension developers should validate user input by calling the newly-introduced Language::isValidCode(), or by checking the language code against the list returned by Language::getLanguageNames(), so that they can present a more appropriate error message to the user.

Version: 1.16.x
Severity: critical