CVE-2020-35623
📋 TL;DR
This vulnerability in the CasAuth extension for MediaWiki allows user impersonation through trivial username manipulation using bidirectional override symbols or blank spaces. An ordinary user could log in as a bureaucrat user with a similar username, potentially gaining elevated privileges. All MediaWiki installations using the vulnerable CasAuth extension are affected.
💻 Affected Systems
- MediaWiki with CasAuth extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker could impersonate any user, including administrators or bureaucrats, gaining full control over the MediaWiki instance, modifying content, changing permissions, and accessing sensitive data.
Likely Case
An attacker impersonates a bureaucrat or administrator to gain elevated privileges, modify pages, change user permissions, or access restricted content.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized access to specific user accounts, which can be detected and remediated.
🎯 Exploit Status
Exploitation requires user account access but uses trivial character manipulation. Proof of concept exists in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CasAuth extension with fix from pull request #11
Vendor Advisory: https://phabricator.wikimedia.org/T263498
Restart Required: No
Instructions:
1. Update CasAuth extension to version with fix from GitHub pull request #11. 2. Apply the patch that adds proper username validation. 3. No MediaWiki restart required, but clear caches.
🔧 Temporary Workarounds
Disable CasAuth Extension
allTemporarily disable the vulnerable CasAuth extension until patched
Edit LocalSettings.php and comment out or remove wfLoadExtension('CasAuth');
Implement Additional Authentication Checks
allAdd custom validation to check for bidirectional override symbols and unusual whitespace in usernames
Add custom validation in authentication hooks to sanitize and validate usernames
🧯 If You Can't Patch
- Implement strict monitoring for unusual login patterns and username modifications
- Enforce multi-factor authentication for all privileged accounts
🔍 How to Verify
Check if Vulnerable:
Check if CasAuth extension is installed and review version. Test by attempting to create usernames with bidirectional override characters or unusual whitespace.Check Version:
Check MediaWiki version: grep wgVersion includes/DefaultSettings.php; Check CasAuth: grep -r 'CasAuth' extensions/Verify Fix Applied:
Verify that the CasAuth extension has been updated with the fix from pull request #11. Test that username validation now properly handles bidirectional override symbols and whitespace.📡 Detection & Monitoring
Log Indicators:
- Unusual login patterns, multiple failed login attempts with similar usernames, successful logins from unexpected locations
Network Indicators:
- Authentication requests containing unusual characters in usernames
SIEM Query:
source="mediawiki_logs" AND (username CONTAINS "\u202A" OR username CONTAINS "\u202B" OR username CONTAINS "\u202C" OR username CONTAINS "\u202D" OR username CONTAINS "\u202E")