CVE-2014-1610
published 2014-01-30CVE-2014-1610: MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to…
PriorityP262medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
42.78%
98.5th percentile
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mediawiki | < mediawiki 1:1.19.11+dfsg-1 (bookworm) | mediawiki 1:1.19.11+dfsg-1 (bookworm) |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | >= 0 < 1:1.19.11+dfsg-1 | 1:1.19.11+dfsg-1 |
| mediawiki | mediawiki | >= 0 < 1:1.19.11+dfsg-1 | 1:1.19.11+dfsg-1 |
| mediawiki | mediawiki | >= 0 < 1:1.19.11+dfsg-1 | 1:1.19.11+dfsg-1 |
| mediawiki | mediawiki | >= 0 < 1:1.19.11+dfsg-1 | 1:1.19.11+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:established,to_server; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; http.uri.raw; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:5; metadata:created_at 2014_02_22, cve CVE_2014_1610, signature_severity Major, updated_at 2024_04_07;)
- →Exploit targets thumb.php with shell metacharacters (semicolons, ampersands, pipe characters) injected into the 'width' (w) parameter for PDF files or the 'page' (p) parameter for DjVu files, combined with an 'f' parameter specifying the target file. ↗
- →Successful exploitation results in a PHP webshell dropped under the MediaWiki images/ directory (e.g., images/xnz.php or images/longcat.php), accessible via HTTP GET with a command parameter. ↗
- →The exploit uploads a malicious .djvu file via Special:Upload before triggering the RCE through thumb.php; monitor for .djvu or .pdf uploads followed immediately by thumb.php requests containing semicolons or shell metacharacters in query parameters. ↗
- →The Emergent Threats Snort/Suricata rule SID 2018168 detects this attack by matching /thumb.php? in the URI with the page or width parameter containing a digit followed by a semicolon or ampersand, plus an f= parameter. ↗
- →The back-end vulnerable command construction passes unsanitized width/page values directly into a shell command via wfShellExec() in GlobalFunctions.php, allowing injection via gs/convert pipeline. ↗
- ·The vulnerability is only exploitable when DjVu or PDF file upload support is explicitly enabled in MediaWiki; neither file type is enabled by default. ↗
- ·If no pre-existing DjVu/PDF file is available on the target, the Metasploit module requires valid credentials to authenticate and upload a malicious .djvu file before triggering the exploit. ↗
- ·PDF exploitation specifically requires the PdfHandler extension to be installed and enabled in addition to PDF upload support being permitted. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_debian6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-88m3-jgcp-453j: MediaWiki 1
ghsa_unreviewed·2022-05-17
CVE-2014-1610 [MEDIUM] CWE-20 GHSA-88m3-jgcp-453j: MediaWiki 1
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
OSV
CVE-2014-1610: MediaWiki 1
osv·2014-01-30·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610: MediaWiki 1
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Debian
CVE-2014-1610: mediawiki - MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11,...
vendor_debian·2014·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610: mediawiki - MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11,...
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Scope: local
bookworm: resolved (fixed in 1:1.19.11+dfsg-1)
bullseye: resolved (fixed in 1:1.19.11+dfsg-1)
forky: resolved (fixed in 1:1.19.11+dfsg-1)
sid: resolved (fixed in 1:1.19.11+dfsg-1)
trixie: resolved (fixed in 1:1.19.11+dfsg-1)
Suricata
ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE
suricata·2014-02-22
CVE-2014-1610 ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE
ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:established,to_server; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; http.uri.raw; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:5; metadata:created_at 2014_02_22, cve CVE_2014_1610, signature_severity Major, updated_at 2024_04_07;
Exploit-DB
MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)
exploitdb·2014-02-19
CVE-2014-1610 MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)
MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'MediaWiki Thumb.php Remote Command Execution',
'Description' => %q{
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11,
when DjVu or PDF file upload support is enabled, allows remote unauthenticated
users to execute arbitrary commands via shell metacharacters. If no target file
is specified this module will attempt to log in with the provided credentials to
upload a file (.DjVu) to use for exploitation.
},
'Author' =>
[
'Netanel Rubin', # from Check Point - Discovery
'Brandon Perry', # Metasploit Module
'Ben Harris', # Met
Exploit-DB
MediaWiki 1.22.1 PdfHandler - Remote Code Execution
exploitdb·2014-02-01·CVSS 6.0
CVE-2014-1610 [MEDIUM] MediaWiki 1.22.1 PdfHandler - Remote Code Execution
MediaWiki 1.22.1 PdfHandler - Remote Code Execution
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
####################################################################
#
# MediaWiki images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!
# Related files:
####################################################################
thumb.php transform( $params, File::RENDER_NOW ); // streamFile( $headers );
...
?>
2. /includes/filerepo/file/File.php
getHandler(); // normaliseParams( $this, $normalisedParams );
...
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
&1";
...
$err = wfShellExec( $cmd, $retval );
...
?>
4. /includes/GlobalF
Metasploit
MediaWiki Thumb.php Remote Command Execution
metasploit
MediaWiki Thumb.php Remote Command Execution
MediaWiki Thumb.php Remote Command Execution
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation.
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files
bugzilla·2014-01-28·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files
It was reported [1] that MediaWiki suffers from a remote code execution vulnerability if you have enabled file upload support for DjVu (natively handled) or PDF files (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations.
MediaWiki versions 1.22.2, 1.21.5, and 1.19.11 were released to correct this flaw.
[1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
Discussion:
Created mediawiki tracking bugs for this issue:
Affects: epel-5 [bug 1058983]
Affects: fedora-all [bug 1058984]
---
Created mediawiki119 tracking bugs for this issue:
Affects: epel-6 [bug 1058982]
---
mediawiki-1.21.5-1.fc19 has been pushed to the
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [fedora-all]
bugzilla·2014-01-28·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [fedora-all]
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: t
Bugzilla
CVE-2014-1610 mediawiki119: mediawiki: remote code execution via uploaded DjVu or PDF files [epel-6]
bugzilla·2014-01-28·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610 mediawiki119: mediawiki: remote code execution via uploaded DjVu or PDF files [epel-6]
CVE-2014-1610 mediawiki119: mediawiki: remote code execution via uploaded DjVu or PDF files [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [epel-5]
bugzilla·2014-01-28·CVSS 6.0
CVE-2014-1610 [MEDIUM] CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [epel-5]
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracki
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.htmlhttp://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.htmlhttp://osvdb.org/102630http://secunia.com/advisories/56695http://secunia.com/advisories/57472http://www.checkpoint.com/defense/advisories/public/2014/cpai-26-jan.htmlhttp://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.htmlhttp://www.debian.org/security/2014/dsa-2891http://www.exploit-db.com/exploits/31329/http://www.osvdb.org/102631http://www.securityfocus.com/bid/65223http://www.securitytracker.com/id/1029707https://bugzilla.wikimedia.org/attachment.cgi?id=14361&action=diffhttps://bugzilla.wikimedia.org/attachment.cgi?id=14384&action=diffhttps://bugzilla.wikimedia.org/show_bug.cgi?id=60339https://gerrit.wikimedia.org/r/#/c/110069/https://gerrit.wikimedia.org/r/#/c/110069/2/includes/media/Bitmap.phphttps://gerrit.wikimedia.org/r/#/c/110215/http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.htmlhttp://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.htmlhttp://osvdb.org/102630http://secunia.com/advisories/56695http://secunia.com/advisories/57472http://www.checkpoint.com/defense/advisories/public/2014/cpai-26-jan.htmlhttp://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.htmlhttp://www.debian.org/security/2014/dsa-2891http://www.exploit-db.com/exploits/31329/http://www.osvdb.org/102631http://www.securityfocus.com/bid/65223http://www.securitytracker.com/id/1029707https://bugzilla.wikimedia.org/attachment.cgi?id=14361&action=diffhttps://bugzilla.wikimedia.org/attachment.cgi?id=14384&action=diffhttps://bugzilla.wikimedia.org/show_bug.cgi?id=60339https://gerrit.wikimedia.org/r/#/c/110069/https://gerrit.wikimedia.org/r/#/c/110069/2/includes/media/Bitmap.phphttps://gerrit.wikimedia.org/r/#/c/110215/
2014-01-30
Published