CVE-2017-8809 - RFD(Reflected File Download) for MediaWiki

A remote user can create a specially crafted URL for the target site that, when loaded by the target user, will cause the 'api.php' script to download a file containing shell commands [CVE-2017-8809]. The file will be served by the target site.

Environment

• Google Chrome 79.0
• MediaWiki 1.29.1

Using

1. Run

$ docker-compose up

2. Access trap page (http://127.0.0.1:8080/poc.html)

3. Click "Click here"

Note

• If change container port, edit $wgServer variable in mediawiki/LocalSettings.php.
• MediaWiki Account admin / pass1234.

References

• NVD - CVE-2017-8809
• MediaWiki Multiple Flaws Let Remote Users Modify Data, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Passwords - SecurityTracker
• ⚓ T128209 Reflected File Download from api.php
• Fix commit
  • SECURITY: API: Avoid some silliness with browser-guessed filenames · wikimedia/mediawiki@66b21e0
• 714373 - Ignore <a download> for cross origin URLs - chromium - An open-source project to help move the web forward. - Monorail