* MediaWiki user Marco discovered that security checks for file uploads were not being run when the file was uploaded in chunks through the API. This option has been available to users who can upload files since MediaWiki 1.19. <https://bugzilla.wikimedia.org/show_bug.cgi?id=48306>
Arches, please stabilize:\n=www-apps/mediawiki-1.19.7\n=www-apps/mediawiki-1.20.6
Have installed and successfully tried to use on hardened x86.
amd64 stable
x86 stable
ppc stable
Possible PHP code execution after file upload. GLSA vote: yes.
GLSA vote: yes Added to existing GLSA draft
This issue was resolved and addressed in GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-2114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2114): Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.