Code review feedback from h00die

Author: Yorick Koster

documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md

@@ -11,8 +11,31 @@
   5. optionally set `RPORT`, `SSL`, and `VHOST`
   6. `exploit`
   7. **Verify** a new Meterpreter session is started
+  
+## Options
+
+  **TARGETURI**
+
+  The MediaWiki base path, the URL path on which MediaWiki is exposed. This is normally `/mediawiki`, `/wiki`, or `/w`.
+
+  **UPLOADPATH**
+
+  Folder name where MediaWiki stores the uploads, make sure to use a relative path here. For a regular installation this is the `images` folder. This folder needs to be writable by MediaWiki and accessible from the web root. The exploit will try to create a PHP file in this location that will later be called through the web server.
+
+  **CLEANUP**
+
+  Set this to true (the default) to unlink the PHP file create by this exploit module. The cleanup code will only be called when the exploit is successful.
+
+  **USERNAME**
+
+  In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provided the username of that account here.
+
+  **PASSWORD**
+
+  In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provided the password of that account here.
 
 ## Sample Output
+### MediaWiki 1.27.1-2 on Ubuntu 16.10
 
 ```
 msf > use exploit/multi/http/mediawiki_syntaxhighlight 

modules/exploits/multi/http/mediawiki_syntaxhighlight.rb

@@ -14,6 +14,12 @@ def initialize(info = {})
         This module exploits an option injection vulnerability in the SyntaxHighlight
         extension of MediaWiki. It tries to create & execute a PHP file in the document root.
         The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
+
+        This vulnerability affects any MediaWiki installation with SyntaxHighlight version 2.0
+        installed & enabled. This extension ships with the AIO package of MediaWiki version
+        1.27.x & 1.28.x. This issue was supposed to be fixed in MediaWiki version 1.28.1
+        and version 1.27.2. It appears that the fix was pushed to the git repository, but
+        for some reason it was not included in the release packages.
       },
       'Author' => 'Yorick Koster',
       'License' => MSF_LICENSE,
@@ -130,8 +136,8 @@ def exploit
       fail_with(Failure::NoTarget, "#{peer}")
     end
 
-    phpfile = rand_text_alpha_lower(25) + '.php'
-    cssfile = datastore['UPLOADPATH'] + '/' + phpfile
+    phpfile = "#{rand_text_alpha_lower(25)}.php"
+    cssfile = "#{datastore['UPLOADPATH']}/#{phpfile}"
     cleanup = "unlink(\"#{phpfile}\");"
     if not datastore['CLEANUP']
       cleanup = ""