CVE-2020-29004
📋 TL;DR
This CSRF vulnerability in MediaWiki's Push extension allows attackers to perform unauthorized API actions by tricking authenticated users into visiting malicious web pages. It affects MediaWiki installations with the Push extension enabled. The vulnerability stems from missing edit token validation in the API endpoint.
💻 Affected Systems
- MediaWiki with Push extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could push malicious content to MediaWiki instances, modify configurations, or perform administrative actions without authorization, potentially compromising the entire wiki.
Likely Case
Unauthorized content modification, configuration changes, or data manipulation through the Push API by leveraging authenticated user sessions.
If Mitigated
With proper CSRF protections and edit token validation, the API would reject unauthorized requests, limiting impact to legitimate authenticated actions only.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into visiting a malicious page. The vulnerability is straightforward to exploit once the attack vector is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.35.1 or later with updated Push extension
Vendor Advisory: https://phabricator.wikimedia.org/T262724
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.35.1 or later. 2. Update the Push extension to the patched version. 3. Verify the edit token validation is now required in ApiPushBase.php.
🔧 Temporary Workarounds
Disable Push Extension
allTemporarily disable the vulnerable Push extension until patching is possible
Remove or comment out 'wfLoadExtension( 'Push' );' in LocalSettings.php
Implement CSRF Protection
allAdd custom CSRF protection middleware or validation for the API endpoint
🧯 If You Can't Patch
- Restrict access to the MediaWiki instance using network controls or authentication gateways
- Implement web application firewall rules to detect and block CSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check if MediaWiki version is 1.35 or earlier and Push extension is enabled. Review ApiPushBase.php for missing edit token validation.Check Version:
php maintenance/run.php --versionVerify Fix Applied:
Verify that edit token validation is now required in ApiPushBase.php and test API calls fail without proper tokens.📡 Detection & Monitoring
Log Indicators:
- API calls to Push endpoints without edit tokens
- Unusual push activity from unexpected sources
Network Indicators:
- HTTP POST requests to Push API endpoints without CSRF tokens
- Requests with missing or invalid edit tokens
SIEM Query:
source="mediawiki.log" AND "ApiPush" AND NOT "edit_token"🔗 References
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988/10/src/api/ApiPushBase.php
- https://phabricator.wikimedia.org/T262724
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988/10/src/api/ApiPushBase.php
- https://phabricator.wikimedia.org/T262724
