MediaWiki SyntaxHighlight Extension Option Injection

Posted by deepcore on May 23, 2017 – 12:20 pm

This Metasploit module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create and execute a PHP file in the document root. The USERNAME and PASSWORD options are only needed if the Wiki is configured as private. This vulnerability affects any MediaWiki installation with SyntaxHighlight version 2.0 installed and enabled. This extension ships with the AIO package of MediaWiki version 1.27.x and 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Sync Breeze Enterprise GET Buffer Overflow Lufthansa AG – (Limbo) Open Redirect Web Vulnerability »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

MediaWiki SyntaxHighlight Extension Option Injection

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL