The popular Wiki platform suffers from a remote code execution vulnerability if uploads are supported for DjVu or PDF file types. The WikiMedia Foundation encouraged webmasters and systems administrators to update their MediaWiki installations on Tuesday, after researchers at Check Point discovered remote code execution vulnerabilities in platform’s core installation. From the announcement: “Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately.” The MediaWiki platform is used by thousands of websites, and collectively serves more than 100 million users each day – a majority of them via Wikipedia. Initially, Check Point researchers discovered the vulnerability in the handling of DjVu files, but additional testing by the WikiMedia Foundation discovered similar issues with PDF files. If exploited, an attacker could take control over the server where the platform is installed, and inject malicious code into every page served by the platform. Until the patch was released, Wikipedia was the largest vulnerable site on the web (in terms of pages rendered and traffic), but other large Wiki-based websites are still at risk until the patch is deployed. According to the WikiMedia Foundation’s Chris Steipp, the foundation plans to use the flaw as an example. Once it seems like most Wiki installations are patched, the exploit will be made public “so we have a negative example that developers can see and prevent in the future.” Additional details are available here, and patches are available for download here. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe