cbcvebase.
CVE-2014-1610
published 2014-01-30

CVE-2014-1610: MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to…

PriorityP262medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
42.78%
98.5th percentile
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianmediawiki< mediawiki 1:1.19.11+dfsg-1 (bookworm)mediawiki 1:1.19.11+dfsg-1 (bookworm)
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki>= 0 < 1:1.19.11+dfsg-11:1.19.11+dfsg-1
mediawikimediawiki>= 0 < 1:1.19.11+dfsg-11:1.19.11+dfsg-1
mediawikimediawiki>= 0 < 1:1.19.11+dfsg-11:1.19.11+dfsg-1
mediawikimediawiki>= 0 < 1:1.19.11+dfsg-11:1.19.11+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

path/thumb.php
pathincludes/media/DjVu.php
url/mediawiki/thumb.php?f=<file>&width=1;<payload>;
command1;#{payload.encoded};
command1)&(#{payload.encoded})&
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:established,to_server; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; http.uri.raw; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:5; metadata:created_at 2014_02_22, cve CVE_2014_1610, signature_severity Major, updated_at 2024_04_07;)
  • Exploit targets thumb.php with shell metacharacters (semicolons, ampersands, pipe characters) injected into the 'width' (w) parameter for PDF files or the 'page' (p) parameter for DjVu files, combined with an 'f' parameter specifying the target file.
  • Successful exploitation results in a PHP webshell dropped under the MediaWiki images/ directory (e.g., images/xnz.php or images/longcat.php), accessible via HTTP GET with a command parameter.
  • The exploit uploads a malicious .djvu file via Special:Upload before triggering the RCE through thumb.php; monitor for .djvu or .pdf uploads followed immediately by thumb.php requests containing semicolons or shell metacharacters in query parameters.
  • The Emergent Threats Snort/Suricata rule SID 2018168 detects this attack by matching /thumb.php? in the URI with the page or width parameter containing a digit followed by a semicolon or ampersand, plus an f= parameter.
  • The back-end vulnerable command construction passes unsanitized width/page values directly into a shell command via wfShellExec() in GlobalFunctions.php, allowing injection via gs/convert pipeline.
  • ·The vulnerability is only exploitable when DjVu or PDF file upload support is explicitly enabled in MediaWiki; neither file type is enabled by default.
  • ·If no pre-existing DjVu/PDF file is available on the target, the Metasploit module requires valid credentials to authenticate and upload a malicious .djvu file before triggering the exploit.
  • ·PDF exploitation specifically requires the PdfHandler extension to be installed and enabled in addition to PDF upload support being permitted.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_debian6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.