Page MenuHomePhabricator

Read of arbitrary files through mwdoc-filter.php
Closed, ResolvedPublic

Description

The file maintenance/mwdoc-filter.php can be abused under certain server configurations to read the contents of arbitrary files.

In case you

  • you have deleted the maintenance folder or
  • you have that folder denied in the server configuration or
  • the server is processing .htaccess overrides or
  • you are using PHP 5.4.0 (or later) or
  • you have register_globals disabled

it is believed that you are not vulnerable.

Explaining the conditions above:

  • MediaWiki bundles maintenance/.htaccess with 'Deny from all'
  • register_globals was removed in PHP 5.4.0

    -If register_globals is disabled, register_argc_argv doesn't seem to make a difference.
  • If register_argc_argv is enabled, it overwrites the $argv from register globals to a single argument, so there's no $argv[1] to open... unless you use a + (no %20), so there are really two ways to exploit this, depending on register_argc_argv

Verified with PHP 5.3.2

An insecure wrapper as mentioned in http://www.php.net/archive/2012.php#id2012-05-06-1 doesn't seem to allow splitting $argv into several items.

mwdoc-filter.php is intended for usage by doxygen through the cli sapi, was added in ab59fadb https://gerrit.wikimedia.org/r/17192 and is present in 1.20 and master (git branch -a --contains ab59fadb)


Version: 1.20.x
Severity: normal

Details

Reference
bz45355

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:22 AM
bzimport set Reference to bz45355.
bzimport added a subscriber: Unknown Object (MLST).

Thanks for the report and patch Platonides! This is confirmed. I think the likelihood that a configuration would be vulnerable is low, but the impact is high. We'll get this released as soon as possible.

In the future, please do post patches to the bug instead of gerrit, so we can coordinate the release, if possible.

RedHat has assigned CVE-2013-1818 for this issue.