CVE-2017-0371
📋 TL;DR
This vulnerability allows remote attackers to discover the IP addresses of Wiki visitors through a CSS injection attack. Attackers can embed malicious CSS in wiki pages that forces visitors' browsers to make requests to attacker-controlled URLs, revealing their IP addresses. Affects MediaWiki installations before specific patched versions.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Mass IP address collection of all wiki visitors, enabling targeted attacks, profiling, or deanonymization of users.
Likely Case
Limited IP address leakage of users viewing specific malicious pages, potentially compromising user privacy.
If Mitigated
No IP leakage if proper input sanitization and Content Security Policy are implemented.
🎯 Exploit Status
Requires ability to edit wiki pages with CSS injection, but exploit is simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.23.16, 1.27.2, 1.28.1
Vendor Advisory: https://phabricator.wikimedia.org/T140591
Restart Required: No
Instructions:
1. Backup your MediaWiki installation. 2. Download and install patched version from mediawiki.org. 3. Run update.php if database schema changes are needed.
🔧 Temporary Workarounds
Restrict CSS in user content
allDisable or sanitize CSS attributes in user-editable content to prevent style attribute injection.
Modify LocalSettings.php to add $wgRawHtml = false; and implement HTML sanitization
Implement Content Security Policy
allAdd CSP headers to restrict background-image URLs to trusted sources only.
Add to web server config: Header set Content-Security-Policy "default-src 'self'; img-src 'self'"
For Apache: Header always set Content-Security-Policy "default-src 'self'; img-src 'self'"
🧯 If You Can't Patch
- Implement strict input validation to block CSS injection in user content
- Deploy WAF rules to detect and block malicious CSS patterns
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version via Special:Version page or by examining includes/DefaultSettings.php for $wgVersionCheck Version:
grep 'wgVersion' includes/DefaultSettings.phpVerify Fix Applied:
Verify version is 1.23.16+, 1.27.2+, or 1.28.1+ and test that CSS injection no longer triggers external requests📡 Detection & Monitoring
Log Indicators:
- Unusual external image requests from wiki pages
- CSS injection patterns in page edit logs
Network Indicators:
- HTTP requests to suspicious domains triggered by wiki page views
- Unusual outbound connections on page load
SIEM Query:
source="web_server_logs" AND (uri="*background-image*" OR uri="*attr(title*" OR user_agent CONTAINS "MediaWiki") AND dest_ip NOT IN trusted_networks