CVE-2022-28323
📋 TL;DR
The SecurePoll extension in MediaWiki through version 1.37.2 contains an information disclosure vulnerability where sorting by timestamp can leak sensitive data. This affects MediaWiki installations with the SecurePoll extension enabled, potentially exposing voting or polling information that should remain confidential.
💻 Affected Systems
- MediaWiki with SecurePoll extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of sensitive voting data, timestamps, and potentially voter information from SecurePoll elections, compromising election integrity and user privacy.
Likely Case
Partial disclosure of voting patterns, timestamps, or metadata from SecurePoll instances that could be used to infer voting behavior or compromise election secrecy.
If Mitigated
Limited exposure of non-critical metadata with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires access to SecurePoll functionality. The vulnerability involves improper information disclosure through sorting operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.37.3 or later
Vendor Advisory: https://phabricator.wikimedia.org/T298434
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.37.3 or later. 2. Ensure SecurePoll extension is updated if installed separately. 3. Verify the patch is applied by checking version and testing SecurePoll functionality.
🔧 Temporary Workarounds
Disable SecurePoll Extension
allTemporarily disable the SecurePoll extension if not actively needed for elections
Edit LocalSettings.php and comment out or remove: wfLoadExtension('SecurePoll');
Restrict SecurePoll Access
allLimit access to SecurePoll functionality to authorized users only
Configure MediaWiki permissions to restrict SecurePoll access to trusted administrators
🧯 If You Can't Patch
- Implement strict access controls to limit who can access SecurePoll functionality
- Monitor SecurePoll access logs for unusual sorting or timestamp-related queries
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and SecurePoll extension status. If MediaWiki <= 1.37.2 with SecurePoll enabled, system is vulnerable.Check Version:
Check MediaWiki version in includes/DefaultSettings.php or via Special:Version pageVerify Fix Applied:
Verify MediaWiki version is 1.37.3 or later and test SecurePoll sorting functionality for information leaks.📡 Detection & Monitoring
Log Indicators:
- Unusual SecurePoll access patterns
- Multiple timestamp sorting requests
- Access to SecurePoll by unauthorized users
Network Indicators:
- HTTP requests to SecurePoll endpoints with sorting parameters
- Unusual traffic to election-related pages
SIEM Query:
source="mediawiki_logs" AND (uri_path="/wiki/Special:SecurePoll" OR uri_path LIKE "%/SecurePoll%") AND (query_string LIKE "%sort=%" OR query_string LIKE "%timestamp%")🔗 References
- https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893
- https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d
- https://phabricator.wikimedia.org/T298434
- https://gerrit.wikimedia.org/r/q/93758c4c13b972d240a6313e0472df1667118893
- https://gerrit.wikimedia.org/r/q/I9d3b9a942ea71d777ec32121fa36262f549d283d
- https://phabricator.wikimedia.org/T298434
