2021-12 security release/FAQ/nl

A series of vulnerabilities have been found in MediaWiki that allow an attacker to leak page contents from private wikis and bypass edit permissions. De belangrijkste vector voor deze wiki-leak gebruik kwetsbare acties op pagina's die in vermeld staan en daarom publiekelijk zijn. MediaWiki maakt nu standaard alleen de actie "view" beschikbaar voor pagina's in. De problemen zijn opgelost in 1.35.5, 1.36.3, en 1.37.1, zie de announcement voor links naar tarballs en patches.

Wat zijn de problemen?

 * CVE-2021-44858: The "undo" feature allowed an attacker to view the contents of arbitrary revisions, regardless of whether they had permissions to do so. This was also found in the "mcrundo" and "mcrrestore" actions (  and  ).
 * CVE-2021-45038: The "rollback" feature could be passed a specially crafted parameter that allowed an attacker to view the contents of arbitrary pages, regardless of whether they had permissions to do so.
 * CVE-2021-44857: The "mcrundo" and "mcrrestore" actions ( and  ) did not properly check for editing permissions, and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.

Ik heb even geen tijd voor de patch, hoe schakel ik dit uit?
Voeg het volgende toe aan uw LocalSettings.php:

Als uw wiki alleen te lezen is na inloggen (privaat) dan moet u ook instellen:

It should fully disable the vulnerable code. These changes will also work for vulnerable end-of-life MediaWiki versions that do not have a patch available.

If you used to allow logged-out users to see the main page with help text, you should instead move that help text to the MediaWiki:Loginreqpagetext message, which is shown on the "login required" error.

Is dit op mijn wiki gebeurd?

 * If your wiki is public (anyone can read pages): yes
 * If your wiki is private, and or  has at least one page: yes

If you use an extension like or  to make some pages unreadable to some users, you are also likely affected.

Welke versies zijn kwetsbaar?
Alle MediaWiki versies vanaf 1.23.0 zijn kwetsbaar voor de private wiki leesrechten bypasses (CVE-2021-44858, CVE-2021-45038).

Alle MediaWiki versies vanaf 1.32.0 zijn kwetsbaar voor de bijwerkrechten bypass. (CVE-2021-44857).

Hoe wordt dit uiteindelijk opgelost?
All actions except "view" now require an explicit "read" user right. This is similar to permission checks used in the Action and REST APIs. If further vulnerabilities are found in actions, they will at least not be exploitable by logged-out users on private wikis.

Actions that need to be usable on pages can override the new  function.

Hoe kan ik zien of iemand het op mijn wiki heeft gebruikt?
Look for  or   in your access logs. Unless you specifically enabled an extension that uses multi-content revisions, there is no legitimate use for these actions.

In addition, look for  requests and check whether the revision IDs belong to a different title than the page being edited.

For the rollback bug, look for  where the "from" parameter is a template transclusion (for example,  ).

This bug does not cause any data loss, so any write actions an attacker could have taken will be recorded in page history like all other edits.

Bedanken
The issue was discovered by Dylsss, many thanks to them for identifying and reporting the issue. If you find a bug in MediaWiki, please see the process for reporting security bugs.