VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1405

CVE-2004-1405

Description

MediaWiki before 1.3.9 allows remote attackers to upload and execute arbitrary PHP code by using files with multiple extensions (e.g., .php.rar) due to Apache mod_mime handling.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MediaWiki before 1.3.9 allows remote attackers to upload and execute arbitrary PHP code by using files with multiple extensions (e.g., .php.rar) due to Apache mod_mime handling.

Vulnerability

MediaWiki versions 1.3.8 and earlier, when used with the Apache HTTP server and the mod_mime module, does not properly validate uploaded files with multiple extensions, such as .php.rar. This input validation flaw allows an attacker to upload a file that, although having a double extension, is interpreted as a PHP script by Apache due to the behavior described in the Apache mod_mime documentation [1], [2]. The vulnerability is present in all affected MediaWiki installations using Apache with mod_mime enabled; no special configuration is required to reach the vulnerable code path beyond standard file upload functionality.

Exploitation

An attacker, who needs only the ability to upload files (typically any unauthenticated or low-privileged user with upload rights), can craft a file with an extension like .php.rar. The file content contains arbitrary PHP code. When the file is uploaded, MediaWiki stores it on the server. Apache's mod_mime treats the file as a PHP script because the last recognized extension is .php, even though .rar follows. Requesting the uploaded file URL triggers PHP execution [2]. No user interaction or race condition is required.

Impact

Successful exploitation results in arbitrary command execution with the privileges of the web server process (typically the nobody user). An attacker can execute arbitrary PHP code, leading to full compromise of the web application and potentially the underlying server, including data theft, defacement, or further lateral movement [2].

Mitigation

The vulnerability is fixed in MediaWiki version 1.3.9, released on December 13, 2004 [2]. Users should upgrade to 1.3.9 or later immediately. As a workaround, if upgrading is not possible, administrators can disable file uploads or reconfigure Apache to not treat files with double extensions as executable (e.g., by using mod_rewrite or disabling ambiguous extensions via AddHandler directives), but the definitive solution is to apply the patch [1], [2]. MediaWiki 1.3.8 and earlier are affected; 1.3.9 and later are not.

References
  1. MediaWiki
  2. 'STG Security Advisory: [SSA-20041215-19] Vulnerability of'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13
  • MediaWiki/Mediawiki13 versions
    cpe:2.3:a:mediawiki:mediawiki:1.3:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:mediawiki:mediawiki:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.11:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.3.8:*:*:*:*:*:*:*
    • (no CPE)range: <=1.3.8

Patches

1
ae17baf66e04

* Enhance upload extension blacklist to protect against vulnerable Apache configurations

https://github.com/wikimedia/mediawikiBrion VibberDec 12, 2004Fixed in 1.3.9via llm-release-walk
commit
2 files changed · +68 13
  • includes/SpecialUpload.php+48 12 modified
    @@ -156,14 +156,18 @@ function processUpload() {
 		# Chop off any directories in the given filename
 		$basename = basename( $this->mOname );
 
-		if( preg_match( '/^(.*)\.([^.]*)$/', $basename, $matches ) ) {
-			$partname = $matches[1];
-			$ext      = $matches[2];
+		/**
+		 * We'll want to blacklist against *any* 'extension', and use
+		 * only the final one for the whitelist.
+		 */
+		list( $partname, $ext ) = $this->splitExtensions( $basename );
+		if( count( $ext ) ) {
+			$finalExt = $ext[count( $ext ) - 1];
 		} else {
-		    $partname = $basename;
-		    $ext = '';
+			$finalExt = '';
 		}
-
+		$fullExt = implode( '.', $ext );
+		
 		if ( strlen( $partname ) < 3 ) {
 			$this->mainUploadForm( wfMsg( 'minlength' ) );
 			return;
@@ -192,17 +196,18 @@ function processUpload() {
 		/* Don't allow users to override the blacklist */
 		global $wgStrictFileExtensions;
 		global $wgFileExtensions, $wgFileBlacklist;
-		if( $this->checkFileExtension( $ext, $wgFileBlacklist ) ||
-			($wgStrictFileExtensions && !$this->checkFileExtension( $ext, $wgFileExtensions ) ) ) {
-			return $this->uploadError( wfMsg( 'badfiletype', htmlspecialchars( $ext ) ) );
+		if( $this->checkFileExtensionList( $ext, $wgFileBlacklist ) ||
+			($wgStrictFileExtensions &&
+				!$this->checkFileExtension( $finalExt, $wgFileExtensions ) ) ) {
+			return $this->uploadError( wfMsg( 'badfiletype', htmlspecialchars( $fullExt ) ) );
 		}
 		
 		/**
 		 * Look at the contents of the file; if we can recognize the
 		 * type but it's corrupt or data of the wrong type, we should
 		 * probably not accept it.
 		 */
-		if( !$this->verify( $this->mUploadTempName, $ext ) ) {
+		if( !$this->verify( $this->mUploadTempName, $finalExt ) ) {
 			return $this->uploadError( wfMsg( 'uploadcorrupt' ) );
 		}
 		
@@ -217,8 +222,8 @@ function processUpload() {
 	
 			global $wgCheckFileExtensions;
 			if ( $wgCheckFileExtensions ) {
-				if ( ! $this->checkFileExtension( $ext, $wgFileExtensions ) ) {
-					$warning .= '<li>'.wfMsg( 'badfiletype', htmlspecialchars( $ext ) ).'</li>';
+				if ( ! $this->checkFileExtension( $finalExt, $wgFileExtensions ) ) {
+					$warning .= '<li>'.wfMsg( 'badfiletype', htmlspecialchars( $fullExt ) ).'</li>';
 				}
 			}
 	
@@ -534,6 +539,20 @@ function mainUploadForm( $msg='' ) {
 	
 	/* -------------------------------------------------------------- */
 
+	/**
+	 * Split a file into a base name and all dot-delimited 'extensions'
+	 * on the end. Some web server configurations will fall back to
+	 * earlier pseudo-'extensions' to determine type and execute
+	 * scripts, so the blacklist needs to check them all.
+	 *
+	 * @return array
+	 */
+	function splitExtensions( $filename ) {
+		$bits = explode( '.', $filename );
+		$basename = array_shift( $bits );
+		return array( $basename, $bits );
+	}
+	
 	/**
 	 * Perform case-insensitive match against a list of file extensions.
 	 * Returns true if the extension is in the list.
@@ -546,6 +565,23 @@ function checkFileExtension( $ext, $list ) {
 		return in_array( strtolower( $ext ), $list );
 	}
 
+	/**
+	 * Perform case-insensitive match against a list of file extensions.
+	 * Returns true if any of the extensions are in the list.
+	 *
+	 * @param array $ext
+	 * @param array $list
+	 * @return bool
+	 */
+	function checkFileExtensionList( $ext, $list ) {
+		foreach( $ext as $e ) {
+			if( in_array( strtolower( $e ), $list ) ) {
+				return true;
+			}
+		}
+		return false;
+	}
+	
 	/**
 	 * Returns false if the file is of a known type but can't be recognized,
 	 * indicating a corrupt file.
  • RELEASE-NOTES+20 1 modified
    @@ -3,7 +3,23 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
-== Version 1.3.9, ****-**-** ==
+== Version 1.3.9, 2004-12-12 ==
+
+MediaWiki 1.3.9 is a security and bug fix release.
+
+A flaw in upload handling has been found which may allow upload and 
+execution of arbitrary scripts with the permissions of the web server.
+Only wikis that have enabled uploads and have a vulnerable Apache 
+configuration will be affected, but to be safe all wikis should upgrade.
+
+Wikis with uploads available should either disable uploads or upgrade to
+1.3.9 immediately; if other files are customized and require merging 
+changes, includes/SpecialUpload.php may be replaced individually to add
+the fix.
+
+(It is also recommended to configure your web server to disable script
+execution in the 'images' subdirectory where uploads are placed, which
+prevents most attacks even if the wiki fails.)
 
 Changes from 1.3.8:
 * Backported "Templates used in this page"-feature of EditPage
@@ -12,6 +28,9 @@ Changes from 1.3.8:
 * (bug 1010) fix broken Commons image link on Classic & Cologne Blue
 * (bug 1004) Norsk language names for interwiki links changed,
   Nauruan language name changed
+* Enhance upload extension blacklist to protect against vulnerable
+  Apache configurations
+
 
 == Version 1.3.8, 2004-11-15 ==

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

4

News mentions

0

No linked articles in our index yet.