Critical vulnerability in Wikipedia found and fixed

Summary:A remote code execution vulnerability in the MediaWiki software used by Wikipedia and many other sites was found by Check Point Software and has been fixed by the WikiMedia Foundation.

MediaWiki.Logo

The WikiMedia Foundation, authors of the MediaWiki software used by Wikipedia and many other sites, Have issued a fix for a critical, remote code execution vulnerability in that program. The bug was reported to them recently by Check Point Software. This vulnerability affects all versions of MediaWiki from 1.8 onwards as well as earlier supported versions prior to 1.21.5 and 1.22.2.

According to the report on the bug in the WikiMedia bug database, "Shell meta characters can be passed in the page parameter to the thumb.php." This would allow any remote user to execute shell code on the MediaWiki application server.

Further internal review by WikiMedia revealed similar faulty logic in the PdfHandler extension, which could be exploited in a similar way. The vulnerability has been designated as CVE-2014-1610.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.