CVE-2004-1405 in MediaWiki
Summary
by MITRE
MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
This vulnerability exists in MediaWiki versions 1.3.8 and earlier when integrated with Apache mod_mime module, creating a critical security flaw that enables remote code execution through improper file extension handling. The vulnerability stems from the web application's failure to properly validate file extensions when processing uploaded files, particularly those containing multiple extensions such as .php.rar or .asp.jpg. When Apache mod_mime processes these files, it may interpret the file based on the last extension rather than the first, leading to potential execution of malicious code. The flaw represents a classic input validation weakness that allows attackers to bypass security controls designed to prevent execution of potentially harmful files. This issue directly relates to CWE-434, which describes insecure file upload vulnerabilities where applications fail to properly validate file types, and aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications.
The operational impact of this vulnerability is severe as it provides attackers with a straightforward path to execute arbitrary code on the affected server. An attacker can upload a malicious file with a double extension, such as a php script disguised as a rar archive, and when the server processes this file through mod_mime, the system may execute the php portion of the file. This creates a persistent backdoor or allows for complete server compromise, potentially leading to data theft, service disruption, or further network infiltration. The vulnerability is particularly dangerous because it leverages the legitimate Apache mod_mime functionality to bypass MediaWiki's own security measures, making detection more difficult.
The vulnerability can be exploited through a simple file upload attack where an authenticated user or even an unauthenticated attacker can upload malicious files to the MediaWiki installation. Attackers typically construct files with double extensions to confuse the server's file type detection mechanisms, allowing them to execute code that would normally be blocked by standard security filters. The exploitation process involves uploading a file that appears benign to the user interface but contains malicious code in the portion that Apache mod_mime interprets as executable. This attack vector demonstrates the importance of proper file validation and the risks associated with relying on server-side modules that may not align with application-level security controls. Organizations should consider implementing multiple layers of file validation, including content-based checks, and should avoid relying solely on file extension filtering.
Mitigation strategies for this vulnerability include upgrading to MediaWiki version 1.4.0 or later where the issue has been addressed through improved file extension handling and validation mechanisms. Administrators should also configure Apache to properly handle file extensions and disable unnecessary modules that might contribute to the vulnerability. The implementation of strict file type validation, including content-based verification rather than relying solely on extension checks, is essential. Additionally, organizations should implement proper access controls to limit upload capabilities and monitor file upload activities. Security measures should include disabling execution permissions on upload directories, implementing web application firewalls, and conducting regular security audits to identify potential misconfigurations. The vulnerability serves as a reminder of the importance of proper input validation and the risks associated with complex interactions between web applications and server modules.