2021-12 an-tsuân huat-pòo/TMB (Tsiap-Mn̄g ê Būn-tê)

This page is a translated version of the page 2021-12 security release/FAQ and the translation is 29% complete.

A series of vulnerabilities have been found in MediaWiki that allow an attacker to leak page contents from private wikis and bypass edit permissions. The main vector for this wiki-leak is using vulnerable actions on pages that are listed in $wgWhitelistRead and therefore publicly accessible. MediaWiki now only makes the "view" action publicly accessible on pages in $wgWhitelistRead by default. These issues are fixed in 1.35.5, 1.36.3, and 1.37.1, see the announcement for links to tarballs and patches.

Ū tá tsi̍t-kuá ê būn-tê?

  • CVE-2021-44858: The "undo" feature (action=edit&undo=##&undoafter=###) allowed an attacker to view the contents of arbitrary revisions, regardless of whether they had permissions to do so. This was also found in the "mcrundo" and "mcrrestore" actions (action=mcrundo and action=mcrrestore).
  • CVE-2021-45038: The "rollback" feature (action=rollback) could be passed a specially crafted parameter that allowed an attacker to view the contents of arbitrary pages, regardless of whether they had permissions to do so.
  • CVE-2021-44857: The "mcrundo" and "mcrrestore" actions (action=mcrundo and action=mcrrestore) did not properly check for editing permissions, and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.

Guá bô sî-kan phah póo-ting, beh án-tsuánn kim-iōng i?

Kā i-hā ê lāi-iông thinn-ka kàu lí-ê LocalSettings.php lāi-té:

$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;

If your wiki is private (requires login to view pages) you will also need to set:

$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];

It should fully disable the vulnerable code. These changes will also work for vulnerable end-of-life MediaWiki versions that do not have a patch available.

If you used $wgWhitelistRead to allow logged-out users to see the main page with help text, you should instead move that help text to the MediaWiki:Loginreqpagetext message, which is shown on the "login required" error.

Guá kám-ū siū-tio̍h íng-hióng?

If you use an extension like Lockdown or Whitelist Pages to make some pages unreadable to some users, you are also likely affected.

Tá tsi̍t-kuá ê pán-pún î-siu kong-kik?

All MediaWiki versions since 1.23.0 until 1.34.x, and 1.35.x, 1.36.x, 1.37.x before the fixes (see the top section), are vulnerable to the private wiki read permissions bypasses (CVE-2021-44858, CVE-2021-45038).

All MediaWiki versions since 1.32.0 until 1.34.x, and 1.35.x, 1.36.x, 1.37.x before the fixes (see the top section), are vulnerable to the editing permissions bypass (CVE-2021-44857).

Tse-sī beh án-tsuánn tn̂g-kî lâi kai-kuat--ê?

All actions except "view" now require an explicit "read" user right. This is similar to permission checks used in the Action and REST APIs. If further vulnerabilities are found in actions, they will at least not be exploitable by logged-out users on private wikis.

Actions that need to be usable on $wgWhitelistRead pages can override the new Action::needsReadRight() function.

Beh án-tsuánn tsa-khuànn kám-ū lâng teh guá-ê uiki tíng-kuân lī-iōng i?

Look for action=mcrundo or action=mcrrestore in your access logs. Unless you specifically enabled an extension that uses multi-content revisions, there is no legitimate use for these actions.

In addition, look for action=edit&undo=###&undoafter=### requests and check whether the revision IDs belong to a different title than the page being edited.

For the rollback bug, look for action=rollback&from=... where the "from" parameter is a template transclusion (for example, from={{:private page}}).

This bug does not cause any data loss, so any write actions an attacker could have taken will be recorded in page history like all other edits.


The issue was discovered by Dylsss, many thanks to them for identifying and reporting the issue. If you find a bug in MediaWiki, please see the process for reporting security bugs.