A remote user can create a specially crafted URL for the target site that, when loaded by the target user, will cause the 'api.php' script to download a file containing shell commands [CVE-2017-8809]. The file will be served by the target site.
- Google Chrome 79.0
- MediaWiki 1.29.1
- Run
$ docker-compose up
-
Access trap page (
http://127.0.0.1:8080/poc.html
) -
Click "
Click here
"
- If change container port, edit
$wgServer
variable inmediawiki/LocalSettings.php
. - MediaWiki Account
admin / pass1234
.
- NVD - CVE-2017-8809
- MediaWiki Multiple Flaws Let Remote Users Modify Data, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Passwords - SecurityTracker
- ⚓ T128209 Reflected File Download from api.php
- Fix commit
- 714373 - Ignore <a download> for cross origin URLs - chromium - An open-source project to help move the web forward. - Monorail