There's a recent security bug in ImageMagick (fixed with 7.0.1-7) that executed code from the upload (or target?) filename.
German article: http://www.heise.de/security/meldung/Luecke-in-ImageMagick-und-GraphicsMagick-ermoeglicht-erneute-Angriffe-3223811.html
Are there chances that MediaWiki is not affected? I have big time trouble upgrading IM on Ubuntu 14.04.
I disabled local upload for now.
MediaWiki is not made to work around bugs in third party software. No one will guarantee you that a malicious upload through MediaWiki definitely cannot trigger this vulnerability. Especially when specially crafted files are used, attackers may find ways to exploit an open vulnerability, maybe even if MediaWiki in the end does not allow their upload, so that the actual upload inside MediaWiki does not succeed.
The only right solution is to use a fixed version of ImageMagick!
Yes, of course. Chances could have been it renames the file before it is passed to IM. ;)
