[Pkg-mediawiki-devel] Exploitable by GeSHi local PHP file
inclusion?
Daniel Leidert
daniel.leidert.spam at gmx.net
Fri Sep 30 10:23:23 UTC 2005
Am Donnerstag, den 29.09.2005, 12:42 -0700 schrieb Brion Vibber:
> Daniel Leidert wrote:
> > Hello,
> >
> > I've found the following security issue report today:
> > http://securityreason.com/achievement_securityalert/23 (reported at
> > http://www.heise.de/security/news/meldung/64410)
> >
> > Is mediawiki affected by this issue or was this fixed with 1.4.10?
>
> MediaWiki does not use or include GeSHi, though several extensions for
> using GeSHi in MediaWiki do exist (some third-party, and at least one
> I've written which is available in our CVS module).
>
> The "advisory" cut-and-pasted a portion of the GeSHi documentation
> (without attribution) which incorrectly implies that MediaWiki includes
> GeSHi; I've asked the GeSHi author about it and he's agreed to clarify
> that it's a separate plugin.
>
> If you were to try packaging a MediaWiki extension wrapping GeSHi, you
> should of course make sure GeSHi is installed outside the web root like
> any normal library (this is how I've done it on my manual installation
> that uses it).
Thanks to you and Romain for answering my question.
Regards, Daniel
More information about the Pkg-mediawiki-devel
mailing list