oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: Server-side arbitr

Re: [oss-security] CVE request: Server-side arbitrary script inclusion vulnerability in MediaWiki <=1.16.1

From: Josh Bressers <bressers_at_nospam>
Date: Thu Feb 03 2011 - 16:10:22 GMT
To: oss-security@lists.openwall.com

Please use CVE-2011-0537

Thanks.

-- JB ----- Original Message ----- > Greetings, > > MediaWiki 1.16.2 was just released as a security update for two > vulnerabilities. One already has a CVE, but this one still needs one: > > "An arbitrary script inclusion vulnerability was discovered. The > vulnerability only allows execution of files with names ending in > ".php" which are already present in the local filesystem. Only servers > running Microsoft Windows and possibly Novell Netware are affected. > Despite these mitigating factors, all users are advised to upgrade, > since there is a risk of complete server compromise. MediaWiki 1.8.0 > and later is affected. For more details, see bug 27094" > > https://bugzilla.wikimedia.org/show_bug.cgi?id=27094 > > Thanks, > ~reed > > -- > Reed Loden > reed@reedloden.com