* MediaWiki user Marco discovered that security checks for file
uploads were not being run when the file was uploaded in chunks
through the API. This option has been available to users who can
upload files since MediaWiki 1.19.
Arches, please stabilize:\n=www-apps/mediawiki-1.19.7\n=www-apps/mediawiki-1.20.6
Have installed and successfully tried to use on hardened x86.
Possible PHP code execution after file upload.
GLSA vote: yes.
GLSA vote: yes
Added to existing GLSA draft
This issue was resolved and addressed in
GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Unrestricted file upload vulnerability in the chunk upload API in MediaWiki
1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to
execute arbitrary code by uploading a file with an executable extension.