I don't normally advertise new releases of this extension, much less minor ones, but this concerns a security issue, so here goes...
I just released the SimpleBatchUpload extension version 1.3.2 which fixes an unauthenticated arbitrary file upload vulnerability present in the Blueimp jQuery-File-Upload module used by this extension ([1], [2]). This vulnerability allows remote execution of code on the server. This vulnerability affects all versions of SimpleBatchUpload < 1.3.2 on MediaWiki < 1.27.4/1.28.3/1.29.2/1.30.0. Higher versions of MediaWiki block the /vendor directory for direct webaccess, so while the unauthorized upload of files is still possible, at least they cannot be used as remote entry points, so execution of code should not be possible. If you are using one of the affected versions, please upgrade SimpleBatchUpload as soon as possible. Stephan [1] https://nvd.nist.gov/vuln/detail/CVE-2018-9206 [2] http://www.vapidlabs.com/advisory.php?v=204 _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
