CVE-2010-2789
Description
PHP remote file inclusion in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP remote file inclusion in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows arbitrary code execution.
Vulnerability
PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta. When PHP's register_globals is enabled, the script does not properly validate input, allowing inclusion of remote files [1]. This does not affect stable MediaWiki releases.
Exploitation
The attacker must have a target with register_globals enabled and the .htaccess protection (if Apache AllowOverride is enabled) bypassed or absent. By sending a crafted HTTP request to MediaWikiParserTest.php, the attacker can include a remote PHP file [1]. No authentication is required.
Impact
Successful exploitation allows arbitrary PHP code execution on the server, potentially leading to full compromise of the web application and underlying system.
Mitigation
The vulnerability only exists in the 1.16 beta series. Upgrading to a stable release (1.16.0 or 1.15.5) eliminates the issue [1]. Disabling register_globals in PHP configuration also mitigates the risk. Additionally, if Apache AllowOverride is enabled, the included .htaccess file denies access to the vulnerable script [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.