Detections
Analytics
MediaWiki 1.19.x < 1.19.7 / 1.20.x < 1.20.6 Arbitrary File Upload
medium Nessus Plugin ID 66841
Language:
Synopsis
The remote web server contains a PHP application that is affected by an arbitrary upload vulnerability.Description
According to its version number, the instance of MediaWiki running on the remote host is affected by an arbitrary file upload vulnerability due to a flaw that fails to validate file extensions when files are uploaded via chunks using the API.Note that Nessus has not tested for this issue but has instead relied on the application's self-reported version number.
Solution
Upgrade to MediaWiki version 1.19.7 / 1.20.6 or later.See Also
http://www.nessus.org/u?1615913b
https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.7
https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6
Plugin Details
Severity: Medium
ID: 66841
File Name: mediawiki_1_19_7.nasl
Version: 1.11
Type: remote
Family: CGI abuses
Published: 6/7/2013
Updated: 6/5/2024
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:mediawiki:mediawiki
Required KB Items: www/PHP, Settings/ParanoidReport, installed_sw/MediaWiki
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No known exploits are available
Patch Publication Date: 5/21/2013
Vulnerability Publication Date: 5/21/2013
Reference Information
CVE: CVE-2013-2114
BID: 60077