A serious remote code execution vulnerability was recently patched by the Wikimedia Foundation. The flaw could have put at risk any of the foundation’s sites running MediaWiki software, including Wikipedia.
Researchers within Check Point Software Technologies’ Vulnerability Research Group discovered the vulnerability on the popular web platform affecting versions 1.8 and up.
“Remote code execution could have allowed malicious use of code on our servers. That may have put user data at risk or made it possible to change our databases somehow,” said Wikimedia Foundation spokesperson Jay Walsh. “Fortunately we’re confident there were no exploits of the vulnerability.”
Walsh said Check Point sent Wikimedia details on the vulnerability and a proof of concept late week, and the foundation’s operations team had a patch deployed on its servers within 45 minutes. On Tuesday, the foundation made a patch available to users of its open source software which hosts wikis and collaboration sites all over the Web.
“On the Foundation’s side, the patch was applied to all of the instances of MediaWiki running on our servers,” Walsh said. “That totals several hundred wikis, including the 280-plus language versions of Wikipedia, and the other Wikimedia projects.”
Check Point’s Shahar Tal, in a thread on Bugzilla, said the vulnerability enabled unrestricted command injection through an incorrectly sanitized parameter.
“We have verified this vulnerability exists with default installations as long as a certain (not common) setting is enabled, as is on Wikimedia.org,” Tal said.
Check Point said in its advisory that an attacker could have injected malware into every Wikipedia page if so desired; the same goes for any wiki site running MediaWiki software with the improper setting.
“The vulnerability discovered by Checkpoint involved possible remote code execution on the Wikimedia’s servers. A vulnerability like this may have allowed a user to maliciously execute shell commands on the Foundation’s servers,” Wikimedia’s Walsh said. “Based on the foundation’s review, there is no evidence that the vulnerability was actually exploited.”
Check Point said this is the third time in eight years remote code execution vulnerabilities have been found on the MediaWiki platform.
“This vulnerability will be highly prized by the hacker community and quickly turned into attacks that can be aimed at organizations that have yet to apply the patch or implement another form of defense,” Check Point said in its advisory.