CVE-2021-36125
📋 TL;DR
This vulnerability in MediaWiki's CentralAuth extension allows attackers to cause denial of service through infinite loops when processing username rename requests with overly long names. It affects MediaWiki installations with the CentralAuth extension enabled. The vulnerability can be triggered by any user with access to the Special:GlobalRenameRequest page.
💻 Affected Systems
- MediaWiki with CentralAuth extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion from infinite loops, potentially affecting all users of the MediaWiki instance.
Likely Case
Temporary denial of service affecting the rename functionality and potentially other services on the same server due to CPU/memory exhaustion.
If Mitigated
Minimal impact if rate limiting or resource controls prevent complete system exhaustion, though rename functionality may still be disrupted.
🎯 Exploit Status
Exploitation requires access to the rename request page but is technically simple. The vulnerability was discovered through code review rather than active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.36.1 or later
Vendor Advisory: https://phabricator.wikimedia.org/T260865
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.36.1 or later. 2. If using CentralAuth extension separately, ensure it's updated to patched version. 3. Clear caches if applicable.
🔧 Temporary Workarounds
Disable CentralAuth extension
allTemporarily disable the CentralAuth extension to prevent exploitation
Edit LocalSettings.php and comment out or remove: wfLoadExtension('CentralAuth');
Restrict access to rename page
allLimit access to Special:GlobalRenameRequest page to trusted users only
Add to LocalSettings.php: $wgGroupPermissions['*']['globalrename'] = false;
🧯 If You Can't Patch
- Implement strict rate limiting on the Special:GlobalRenameRequest endpoint
- Configure server resource limits (CPU time, memory) to prevent complete system exhaustion from infinite loops
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and CentralAuth extension status. If MediaWiki <= 1.36 with CentralAuth enabled, system is vulnerable.Check Version:
Check includes/DefaultSettings.php for $wgVersion or view Special:Version pageVerify Fix Applied:
Verify MediaWiki version is 1.36.1 or later and check that rename functionality works without infinite loops.📡 Detection & Monitoring
Log Indicators:
- Repeated requests to Special:GlobalRenameRequest with long usernames
- High CPU/memory usage from MediaWiki processes
- Apache/Nginx logs showing 500 errors on rename requests
Network Indicators:
- Unusual pattern of POST requests to /wiki/Special:GlobalRenameRequest
SIEM Query:
source="mediawiki.log" AND ("Special:GlobalRenameRequest" OR "globalrename") AND (status=500 OR duration>10s)