The file maintenance/mwdoc-filter.php can be abused under certain server configurations to read the contents of arbitrary files.
In case you
- you have deleted the maintenance folder or
- you have that folder denied in the server configuration or
- the server is processing .htaccess overrides or
- you are using PHP 5.4.0 (or later) or
- you have register_globals disabled
it is believed that you are not vulnerable.
Explaining the conditions above:
- MediaWiki bundles maintenance/.htaccess with 'Deny from all'
- register_globals was removed in PHP 5.4.0
-If register_globals is disabled, register_argc_argv doesn't seem to make a difference.
- If register_argc_argv is enabled, it overwrites the $argv from register globals to a single argument, so there's no $argv to open... unless you use a + (no %20), so there are really two ways to exploit this, depending on register_argc_argv
Verified with PHP 5.3.2
An insecure wrapper as mentioned in http://www.php.net/archive/2012.php#id2012-05-06-1 doesn't seem to allow splitting $argv into several items.
mwdoc-filter.php is intended for usage by doxygen through the cli sapi, was added in ab59fadb https://gerrit.wikimedia.org/r/17192 and is present in 1.20 and master (git branch -a --contains ab59fadb)