CVE-2015-8005 in MediaWiki
Summary
by MITRE
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/20/2018
MediaWiki is a widely deployed open-source wiki software platform that powers numerous websites including wikipedia and various enterprise knowledge bases. The vulnerability CVE-2015-8005 represents a critical information disclosure flaw that affects multiple versions of the MediaWiki platform. This vulnerability specifically targets the image processing functionality that utilizes ImageMagick command line tools for generating thumbnails. When MediaWiki processes image uploads and generates thumbnails, it employs ImageMagick's command line interface to perform the image manipulation tasks. The flaw occurs in the thumbnail generation process where the system passes user-supplied image files through ImageMagick without proper sanitization of command line arguments.
The technical implementation of this vulnerability stems from the improper handling of ImageMagick command line parameters during thumbnail creation. When a PNG image is uploaded and processed, MediaWiki constructs command line arguments that include the image file path. However, these arguments are not properly escaped or sanitized, allowing attackers to inject malicious parameters. The vulnerability manifests when attackers create specially crafted PNG files that contain metadata or embedded commands that, when processed by ImageMagick, reveal the server's file system structure. This occurs because ImageMagick's command line interface can be manipulated to output file system information through its metadata reading capabilities.
The operational impact of this vulnerability is significant as it provides remote attackers with sensitive information about the server's file system structure. An attacker who successfully exploits this vulnerability can obtain the absolute installation path of the MediaWiki instance, which can be used as a foundation for further attacks. This information disclosure can enable attackers to map the server's directory structure, potentially revealing other sensitive files or directories that might be accessible through the web root. The vulnerability affects multiple versions of MediaWiki, making it particularly dangerous as organizations with outdated installations remain at risk. The exposure of installation paths can facilitate subsequent attacks such as path traversal, local file inclusion, or even privilege escalation attempts that rely on knowledge of the server's file structure.
This vulnerability maps to CWE-20: Improper Input Validation and CWE-22: Improper Limitation of a Pathname to a Restricted Directory, both of which are categorized under the broader family of input validation and path manipulation flaws. From an attack perspective, this vulnerability aligns with ATT&CK technique T1083: File and Directory Discovery, as it enables adversaries to gather information about the file system structure. The vulnerability also relates to T1059: Command and Scripting Interpreter, where attackers can leverage command line interfaces to extract system information. Organizations should implement immediate mitigations including updating to patched versions of MediaWiki, specifically versions 1.23.11, 1.24.4, and 1.25.3. Additionally, administrators should review and restrict image upload capabilities, implement proper input validation for all file uploads, and consider implementing web application firewalls that can detect and block suspicious command line parameter patterns. The vulnerability demonstrates the importance of proper input sanitization in command line interfaces and highlights the risks associated with using external tools without adequate parameter validation in web applications.