From eaff87879e79c3e6b1e0d8893223ad2583e30e1a Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 19 Apr 2013 22:03:05 +0200 Subject: [PATCH] added text --- modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb index 51c2472a08..df1c09f301 100644 --- a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb +++ b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb @@ -22,7 +22,8 @@ class Metasploit4 < Msf::Auxiliary expand external entities with the SYSTEM identifier. In order to work MediaWiki must be configured to accept upload of SVG files. If anonymous uploads are allowed the username and password aren't required, otherwise they are. This module has been - tested successfully on MediaWiki 1.19.4 and Ubuntu 10.04. + tested successfully on MediaWiki 1.19.4, 1.20.3 on Ubuntu 10.04 and Ubuntu 12.10. + Older versions were also tested but do not seem to be vulnerable to this vulnerability. The following MediaWiki requirements must be met: File upload must be enabled, $wgFileExtensions[] must include 'svg', $wgSVGConverter must be set to something other than 'false'.