Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471140 (CVE-2013-2114) - <www-apps/mediawiki-{1.19.7,1.20.6}: Arbitrary file upload vulnerability (CVE-2013-2114)
Summary: <www-apps/mediawiki-{1.19.7,1.20.6}: Arbitrary file upload vulnerability (CVE...
Alias: CVE-2013-2114
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2013-05-24 09:51 UTC by cyberbat
Modified: 2013-11-19 04:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description cyberbat 2013-05-24 09:51:11 UTC
* MediaWiki user Marco discovered that security checks for file
uploads were not being run when the file was uploaded in chunks
through the API. This option has been available to users who can
upload files since MediaWiki 1.19.

Comment 1 Tim Harder gentoo-dev 2013-05-25 09:04:38 UTC
Arches, please stabilize:\n=www-apps/mediawiki-1.19.7\n=www-apps/mediawiki-1.20.6
Comment 2 cyberbat 2013-05-25 12:47:39 UTC
Have installed and successfully tried to use on hardened x86.
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-25 19:21:48 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-25 19:21:59 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-25 19:22:10 UTC
ppc stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-06-30 12:56:31 UTC
Possible PHP code execution after file upload.

GLSA vote: yes.
Comment 7 Sergey Popov gentoo-dev 2013-08-23 09:48:21 UTC
GLSA vote: yes

Added to existing GLSA draft
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:40 UTC
This issue was resolved and addressed in
 GLSA 201310-21 at
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-19 04:21:25 UTC
CVE-2013-2114 (
  Unrestricted file upload vulnerability in the chunk upload API in MediaWiki
  1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to
  execute arbitrary code by uploading a file with an executable extension.