CVE-2021-46147
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in MediaWiki's MassEditRegex extension. It allows attackers to trick authenticated administrators into performing unauthorized mass edits on the wiki without their knowledge. Affects MediaWiki installations with the MassEditRegex extension enabled.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could completely deface or delete large portions of wiki content, modify user permissions, or inject malicious content that affects all visitors.
Likely Case
Unauthorized content modifications, page deletions, or injection of spam/links by exploiting administrator sessions.
If Mitigated
Limited impact if CSRF tokens are properly implemented and administrators follow security best practices.
🎯 Exploit Status
Requires tricking authenticated administrator to visit malicious page while logged in. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.35.5, 1.36.3, or 1.37.1
Vendor Advisory: https://phabricator.wikimedia.org/T293341
Restart Required: No
Instructions:
1. Update MediaWiki to patched version. 2. If using extension separately, update MassEditRegex extension. 3. Clear caches if applicable.
🔧 Temporary Workarounds
Disable MassEditRegex Extension
allTemporarily disable the vulnerable extension until patching is possible
Edit LocalSettings.php and comment out or remove: wfLoadExtension('MassEditRegex');
Implement CSRF Protection
allAdd CSRF tokens to MassEditRegex forms if custom implementation
Add $wgRequest->getVal('token') validation in extension code
🧯 If You Can't Patch
- Restrict MassEditRegex permissions to only trusted administrators
- Implement web application firewall rules to detect mass edit patterns
🔍 How to Verify
Check if Vulnerable:
Check if MassEditRegex extension is enabled and MediaWiki version is in affected rangeCheck Version:
Check includes/DefaultSettings.php or run maintenance script: php maintenance/commandLine.inc --versionVerify Fix Applied:
Verify MediaWiki version is 1.35.5+, 1.36.3+, or 1.37.1+ and test CSRF protection on MassEditRegex forms📡 Detection & Monitoring
Log Indicators:
- Unusual mass edit patterns from single IP/session
- MassEditRegex actions without corresponding user intent
Network Indicators:
- POST requests to MassEditRegex endpoints without proper referrer/CSRF tokens
SIEM Query:
source="mediawiki.log" AND ("MassEditRegex" OR "massedit") AND status="success" AND user_agent="*" | stats count by src_ip