MediaWiki remote code execution
Description
MediaWiki versions prior to 1.22.2, 1.21.5, and 1.19.11 contain a remote code execution vulnerability that can be exploited when file upload support for DjVu or PDF files is enabled. DjVu support is natively available in MediaWiki, while PDF support requires the PdfHandler extension. While neither file type is enabled by default, installations that have configured these features are at risk. This vulnerability allows authenticated users to upload specially crafted files that can execute arbitrary code on the server.
Remediation
Immediately update MediaWiki to version 1.22.2, 1.21.5, 1.19.11, or later depending on your current version branch. Follow these steps:
1. Backup your installation: Create a complete backup of your MediaWiki files and database before proceeding
2. Download the appropriate version: Obtain the security release matching your version series from the official MediaWiki website
3. Apply the update: Follow the MediaWiki upgrade documentation for your specific version
4. Verify file upload settings: Review your LocalSettings.php configuration to ensure DjVu and PDF uploads are only enabled if absolutely necessary
5. Disable unnecessary file types: If DjVu or PDF support is not required, disable these file types in your configuration
As a temporary mitigation if immediate patching is not possible, disable DjVu and PDF file uploads by removing or commenting out the relevant file type configurations in LocalSettings.php until the update can be applied.