Read of arbitrary files through mwdoc-filter.php
Closed, ResolvedPublic


The file maintenance/mwdoc-filter.php can be abused under certain server configurations to read the contents of arbitrary files.

In case you

  • you have deleted the maintenance folder or
  • you have that folder denied in the server configuration or
  • the server is processing .htaccess overrides or
  • you are using PHP 5.4.0 (or later) or
  • you have register_globals disabled

it is believed that you are not vulnerable.

Explaining the conditions above:

  • MediaWiki bundles maintenance/.htaccess with 'Deny from all'
  • register_globals was removed in PHP 5.4.0

    -If register_globals is disabled, register_argc_argv doesn't seem to make a difference.
  • If register_argc_argv is enabled, it overwrites the $argv from register globals to a single argument, so there's no $argv[1] to open... unless you use a + (no %20), so there are really two ways to exploit this, depending on register_argc_argv

Verified with PHP 5.3.2

An insecure wrapper as mentioned in doesn't seem to allow splitting $argv into several items.

mwdoc-filter.php is intended for usage by doxygen through the cli sapi, was added in ab59fadb and is present in 1.20 and master (git branch -a --contains ab59fadb)

Version: 1.20.x
Severity: normal

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz45355.
Platonides created this task.Via LegacyFeb 25 2013, 3:10 PM
csteipp added a comment.Via ConduitFeb 25 2013, 5:27 PM

Thanks for the report and patch Platonides! This is confirmed. I think the likelihood that a configuration would be vulnerable is low, but the impact is high. We'll get this released as soon as possible.

In the future, please do post patches to the bug instead of gerrit, so we can coordinate the release, if possible.

csteipp added a comment.Via ConduitMar 4 2013, 7:15 PM

Released as part of 1.20.3

csteipp added a comment.Via ConduitMar 5 2013, 5:41 PM

RedHat has assigned CVE-2013-1818 for this issue.

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM
Luke081515 removed a subscriber: wikibugs-l-list.Via Bulk EditThu, Jan 28, 6:01 PM
Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptVia HeraldThu, Jan 28, 6:01 PM

Add Comment