MoniWiki Vulnerability

Secunia Advisory: SA13478

Critical: Highly critical

Impact: System access

Where: From remote

Solution Status: Vendor Patch

Software: MoniWiki 1.x

Jeremy Bae has reported a vulnerability in MoniWiki, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of file uploads where a filename has multiple file extensions. This can be exploited to upload malicious script files inside the web root.

Successful exploitation may allow execution of script code depending on the HTTP server configuration (it requires e.g. an Apache server with the “mod_mime” and “mod_php” modules installed).

The vulnerability has been reported in version 1.0.9.2. Other versions may also be affected.

Solution:
The vulnerability has reportedly been fixed in the CVS repository.

Disable “mod_mime” if it isn’t needed.