-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-010 Title: Critical Vulnerability in MediaWiki Platform. Version history: 03.02.2014 Initial publication Summary ======= Researchers have discovered a critical vulnerability in the popular MediaWiki Web platform, which is used to run Wikipedia and tens of thousands of other wiki sites around the world. This vulnerability allows an attacker to perform remote code execution.[1] CVE number: CVE-2014-1610 CVSS v2 Base Score:6.0 (MEDIUM) (AV:N/AC:M/Au:S/C:P/I:P/A:P) [2] Afected Platform ================ MediaWiki from 1.8 onwards. Technical details ================ MediaWiki is an extremely popular open-source Web platform used to create and maintain wiki Web sites, collaborative sites in which users are able to add, modify and delete content. The largest and best-known site using the MediaWiki platform is Wikipedia.org and the rest of the WikiMedia foundation. Wikipedia.org is the sixth most-visited web site in the world, with over 94 million unique visitors per month and almost 2 million sites linking to it. MediaWiki also serves as the infrastructure for tens of thousands of wiki Web sites, Internet-facing as well as internal. This vulnerability is related with the DjVu or PDF file upload support. What can you do? ================ There is an update from the provider.[3] More information [1] http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1610 [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=60339 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu ) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJS77ujAAoJEPpzpNLI8SVov1IQAJAHoJ52kBdUax3p6l3eC4kh 9SmNmfB0NrDH948l/5rBVZDmYarasfopKJ71kEdj0hI0k4+b3l+6hc7cxLLHpgUK ArXntDOMTqnhxEEVvub89jSS01lr5zil0zYmGaPx5UXKvXhIy8lw8mLMxYeQfxog 0EWmvhBzoAH6453C49aNfi5mz+5BbiKb2aGnI9mxX3pf7WVvF6IbCXwMJPkL6+08 6su+C2DZ48JBjJ9boZcM7MZR7qNZ/2VDDmGn5h6ze7j5X2MtuqxS6xCwKBx1lKan u5iIKtSpNTZ7PII0TzkEtdb3ba1/Wlu0DfUPU+E4qIUGRkEkCwXHxG4dQ2qvAw9R 4FOVJ/lU+y/BAnlQwMuDuOjbU24kQAIXL6bj9NtlLqqbTHsw8zGkSOZwxBazS7x4 j2USrCny6WL1zW1IB8GKKsuvOoplHNUBdNDBAkpjTYPnhsjAPggsdFYaTKJmFaMP x1Qt++D3TcBP9eM04s+YMgnEYvgLKWUednM+Jl6+0LD10NphUSNEmv7uS9Mm92JF JwqGNvUj1n4lh5AG+ICxvAzTuHZEcKQmijmI4E6KBafvPBBjiLAUQmmy7BZrod7M LtLLz3XMJW8Y5IuD9mKVbgOpgK6gvHG6LbdxvdB6Cu2iypJ+ZFMZZ8IGZMZosS+B SywXcxTruw5n1y2IWKlJ =yD97 -----END PGP SIGNATURE-----