CVE-2021-44858
📋 TL;DR
This vulnerability allows unauthorized users to view private pages on MediaWiki installations configured as private wikis with whitelist read restrictions. Attackers can exploit a flaw in the undo/restore functionality to bypass access controls. Affected systems include MediaWiki installations before specific patched versions.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all private content on a private wiki, potentially revealing sensitive information, internal documentation, or confidential data to unauthorized users.
Likely Case
Unauthorized viewing of private pages containing internal information, user data, or restricted content that should only be accessible to authorized users.
If Mitigated
Limited or no impact if the wiki is public or doesn't use $wgWhitelistRead, or if proper access controls and monitoring are in place.
🎯 Exploit Status
Exploitation requires knowledge of specific URL parameters and access to a private wiki with whitelist configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.35.5, 1.36.3, or 1.37.1
Vendor Advisory: https://www.mediawiki.org/wiki/2021-12_security_release/FAQ
Restart Required: No
Instructions:
1. Backup your MediaWiki installation and database. 2. Download and install the patched version from mediawiki.org. 3. Run update.php if upgrading across major versions. 4. Verify the installation is working correctly.
🔧 Temporary Workarounds
Disable undo/restore functionality
allTemporarily disable the vulnerable undo and restore actions to prevent exploitation.
Add to LocalSettings.php: $wgActions['undo'] = false; $wgActions['mcrundo'] = false; $wgActions['mcrrestore'] = false;
Remove whitelist configuration
allIf feasible, reconfigure the wiki to not use $wgWhitelistRead, which removes the vulnerable condition.
Remove or comment out $wgWhitelistRead configuration in LocalSettings.php
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the MediaWiki instance
- Enable detailed logging and monitoring for unauthorized access attempts to private pages
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and verify if $wgWhitelistRead is configured in LocalSettings.phpCheck Version:
Check includes/DefaultSettings.php or run: php maintenance/run.php --versionVerify Fix Applied:
Verify MediaWiki version is 1.35.5, 1.36.3, 1.37.1 or later, and test that private pages cannot be accessed via undo/restore actions📡 Detection & Monitoring
Log Indicators:
- Multiple requests to action=edit&undo=, action=mcrundo, action=mcrrestore in short succession
- Access to private pages from unauthorized IPs/users
Network Indicators:
- HTTP requests containing undo, mcrundo, or mcrrestore parameters to private wiki URLs
SIEM Query:
web.url:*action=edit*undo=* OR web.url:*action=mcrundo* OR web.url:*action=mcrrestore*