CVE-2020-35475
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in MediaWiki's user rights management interface. It allows attackers to inject malicious scripts that execute when users with insufficient privileges view the Special:UserRights page. This affects all MediaWiki installations running vulnerable versions where users can access the user rights interface.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Fedora by Fedoraproject
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to complete account compromise and privilege escalation.
Likely Case
Attackers with edit access could embed malicious scripts in user rights messages that execute when administrators or users with partial rights view the page, leading to session hijacking or credential theft.
If Mitigated
With proper input validation and output encoding, the risk is limited to minor information disclosure or UI manipulation without code execution.
🎯 Exploit Status
Exploitation requires the attacker to have edit permissions to modify user rights messages, and victims must have access to Special:UserRights but insufficient rights to change all groups.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.35.1
Vendor Advisory: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
Restart Required: No
Instructions:
1. Backup your MediaWiki installation and database. 2. Download MediaWiki 1.35.1 or later from https://releases.wikimedia.org/mediawiki/. 3. Replace the existing installation with the new version. 4. Run update.php from the maintenance directory if upgrading from older versions.
🔧 Temporary Workarounds
Restrict Special:UserRights Access
allLimit access to the user rights management page to only trusted administrators who need it.
Edit LocalSettings.php and add: $wgGroupPermissions['*']['userrights'] = false; $wgGroupPermissions['sysop']['userrights'] = true;
Apply Output Encoding
allManually escape HTML in the affected messages if patching is not immediately possible.
Edit includes/specials/SpecialUserRights.php and ensure htmlspecialchars() is applied to userrights-expiry-current and userrights-expiry-none messages
🧯 If You Can't Patch
- Restrict access to Special:UserRights page to minimal necessary users
- Implement web application firewall (WAF) rules to block XSS payloads in user rights messages
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version by viewing Special:Version page or examining includes/DefaultSettings.php for MW_VERSION. If version is earlier than 1.35.1, the system is vulnerable.Check Version:
php maintenance/run.php includes/DefaultSettings.php | grep MW_VERSIONVerify Fix Applied:
After upgrading, verify version is 1.35.1 or later via Special:Version page. Test that HTML in userrights-expiry-current and userrights-expiry-none messages is properly escaped when viewing Special:UserRights.📡 Detection & Monitoring
Log Indicators:
- Unusual edits to user rights messages
- Multiple failed attempts to access Special:UserRights
- Suspicious JavaScript in user rights-related logs
Network Indicators:
- Unexpected script tags in requests to Special:UserRights
- Suspicious redirects from user rights pages
SIEM Query:
source="mediawiki.log" AND ("Special:UserRights" OR "userrights-expiry") AND ("script" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
- https://phabricator.wikimedia.org/T268917
- https://www.debian.org/security/2020/dsa-4816
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
- https://phabricator.wikimedia.org/T268917
- https://www.debian.org/security/2020/dsa-4816
