A vulnerability has been found in RESTBase v0.9.1 and earlier that allowed attackers to read arbitrary files on the host system by passing a specially crafted URL. This vulnerability has been fixed in [1].
All RESTBase users are strongly encouraged to upgrade to v0.9.2 immediately. Files readable by the RESTBase service user might have been accessed by third parties, so appropriate measures should be taken.
mediawiki-containers [2] users with automatic updates enabled have already been upgraded to v0.9.2.
Hello,
Just a clarification: MediaWiki-Vagrant~[1] users should run `vagrant git-update` to update to the latest version. This is especially relevant for users running it on publicly-accessible hosts and having any of the following roles enabled:
- visualeditor - restbase - parsoid
Cheers, Marko Obrovac, PhD Senior Services Engineer Wikimedia Foundation
[1] https://www.mediawiki.org/wiki/MediaWiki-Vagrant
On 20 January 2016 at 11:20, Gabriel Wicke gwicke@wikimedia.org wrote:
A vulnerability has been found in RESTBase v0.9.1 and earlier that allowed attackers to read arbitrary files on the host system by passing a specially crafted URL. This vulnerability has been fixed in [1].
All RESTBase users are strongly encouraged to upgrade to v0.9.2 immediately. Files readable by the RESTBase service user might have been accessed by third parties, so appropriate measures should be taken.
mediawiki-containers [2] users with automatic updates enabled have already been upgraded to v0.9.2.
-- Gabriel Wicke Principal Engineer, Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l