Change Details

Anyone with the ability to edit pages in the Widgets namespace can call any static function in any class defined in PHP or MediaWiki. Quite a few of these classes can do nefarious things, such as exfiltrate user data, change user passwords, read/write arbitrary files on the filesystem, or run arbitrary shell commands (running arbitrary shell commands or writing arbitrary files can both be used to achieve additional levels of code execution). Proof of concept: Page **Widget:Test** (requires 'editwidgets' permission to edit, by default only given to sysops and a "widget editors" group): ```<!--{\MediaWiki\Shell\Shell::command('pwd')->execute()->getStdout()}-->``` On some other page, invoking the widget via `{{#widget:test}}` will execute the above command on the shell and display the result on the page, in this case the current working directory that PHP is executing from (which is the root directory of the MediaWiki installation).

Anyone with the ability to edit pages in the Widgets namespace can call any static function in any class defined in PHP or MediaWiki. Quite a few of these classes can do nefarious things, such as exfiltrate user data, change user passwords, read/write arbitrary files on the filesystem, or run arbitrary shell commands (running arbitrary shell commands or writing arbitrary files can both be used to achieve additional levels of code execution). Proof of concept: Page **Widget:Test** (requires 'editwidgets' permission to edit, by default only given to sysops and a "widget editors" group): ```<!--{\MediaWiki\Shell\Shell::command('pwd')->execute()->getStdout()}-->``` On some other page, invoking the widget via `{{#widget:test}}` will execute the above command on the shell and display the result on the page, in this case the current working directory that PHP is executing from (which is the root directory of the MediaWiki installation). This extension is not deployed on WMF to the best of my knowledge but is deployed on a number of third-party wiki farms such as Fandom/Gamepedia.

Anyone with the ability to edit pages in the Widgets namespace can call any static function in any class defined in PHP or MediaWiki. Quite a few of these classes can do nefarious things, such as exfiltrate user data, change user passwords, read/write arbitrary files on the filesystem, or run arbitrary shell commands (running arbitrary shell commands or writing arbitrary files can both be used to achieve additional levels of code execution). Proof of concept: Page **Widget:Test** (requires 'editwidgets' permission to edit, by default only given to sysops and a "widget editors" group): ```<!--{\MediaWiki\Shell\Shell::command('pwd')->execute()->getStdout()}-->``` On some other page, invoking the widget via `{{#widget:test}}` will execute the above command on the shell and display the result on the page, in this case the current working directory that PHP is executing from (which is the root directory of the MediaWiki installation). This extension is not deployed on WMF to the best of my knowledge but is deployed on a number of third-party wiki farms such as Fandom/Gamepedia.