[Pkg-mediawiki-devel] Exploitable by GeSHi local PHP file inclusion?

Brion Vibber brion at pobox.com
Thu Sep 29 19:42:17 UTC 2005

Daniel Leidert wrote:
> Hello,
> I've found the following security issue report today:
> http://securityreason.com/achievement_securityalert/23 (reported at
> http://www.heise.de/security/news/meldung/64410)
> Is mediawiki affected by this issue or was this fixed with 1.4.10?

MediaWiki does not use or include GeSHi, though several extensions for
using GeSHi in MediaWiki do exist (some third-party, and at least one
I've written which is available in our CVS module).

The "advisory" cut-and-pasted a portion of the GeSHi documentation
(without attribution) which incorrectly implies that MediaWiki includes
GeSHi; I've asked the GeSHi author about it and he's agreed to clarify
that it's a separate plugin.

If you were to try packaging a MediaWiki extension wrapping GeSHi, you
should of course make sure GeSHi is installed outside the web root like
any normal library (this is how I've done it on my manual installation
that uses it).

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20050929/f9e608bc/signature.pgp

More information about the Pkg-mediawiki-devel mailing list