Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MoniWiki 1.x
Jeremy Bae has reported a vulnerability in MoniWiki, which potentially can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of file uploads where a filename has multiple file extensions. This can be exploited to upload malicious script files inside the web root.
Successful exploitation may allow execution of script code depending on the HTTP server configuration (it requires e.g. an Apache server with the “mod_mime” and “mod_php” modules installed).
The vulnerability has been reported in version 126.96.36.199. Other versions may also be affected.
The vulnerability has reportedly been fixed in the CVS repository.
Disable “mod_mime” if it isn’t needed.