CVE-2023-35333
📋 TL;DR
CVE-2023-35333 is a remote code execution vulnerability in MediaWiki's PandocUpload extension that allows attackers to execute arbitrary code on affected servers. This affects MediaWiki installations with the PandocUpload extension enabled. Attackers can exploit this without authentication to gain full control of the server.
💻 Affected Systems
- MediaWiki with PandocUpload extension
📦 What is this software?
Pandocupload by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing data theft, lateral movement, and persistent backdoor installation
Likely Case
Unauthenticated remote code execution leading to web shell deployment and data exfiltration
If Mitigated
Limited impact with proper network segmentation and application sandboxing
🎯 Exploit Status
Exploitation requires sending specially crafted requests to the PandocUpload endpoint
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to MediaWiki with security patches for PandocUpload extension
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35333
Restart Required: No
Instructions:
1. Update MediaWiki to latest version. 2. Update PandocUpload extension. 3. Verify extension is disabled if not needed. 4. Clear caches and test functionality.
🔧 Temporary Workarounds
Disable PandocUpload Extension
allTemporarily disable the vulnerable extension until patching
Edit LocalSettings.php and remove or comment out: wfLoadExtension('PandocUpload');
Restrict Access to Upload Endpoint
linuxBlock access to PandocUpload functionality via web server rules
# Apache: <Location "/w/extensions/PandocUpload/"> Require all denied </Location>
# Nginx: location ~ ^/w/extensions/PandocUpload/ { deny all; }
🧯 If You Can't Patch
- Disable PandocUpload extension immediately
- Implement strict network segmentation and WAF rules to block exploit patterns
🔍 How to Verify
Check if Vulnerable:
Check if PandocUpload extension is enabled in LocalSettings.php and version is unpatchedCheck Version:
Check MediaWiki version via Special:Version page or grep 'wgVersion' in includes/DefaultSettings.phpVerify Fix Applied:
Verify extension is disabled or updated, and test upload functionality is secure📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to PandocUpload endpoints
- Suspicious file uploads with command injection patterns
- Unexpected process execution from web server context
Network Indicators:
- HTTP requests containing shell commands or encoded payloads to upload endpoints
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server" AND (uri_path="/w/extensions/PandocUpload/" OR user_agent CONTAINS "curl" OR "wget") AND (method="POST" AND size>100000)