CVE-2023-29141
📋 TL;DR
This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating the X-Forwarded-For HTTP header. It affects MediaWiki instances that process untrusted headers, potentially enabling denial-of-service attacks against legitimate users. All MediaWiki installations within the affected version ranges are vulnerable if they accept X-Forwarded-For headers from untrusted sources.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Fedora by Fedoraproject
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers can block legitimate users, administrators, or entire IP ranges from accessing the wiki, causing complete denial of service for affected users.
Likely Case
Targeted blocking of specific users or IP addresses, disrupting legitimate access to the wiki platform.
If Mitigated
If proper header validation or IP filtering is in place, the impact is limited to potential logging anomalies with no service disruption.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests with malicious X-Forwarded-For headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.35.10, 1.38.6, 1.39.3 or later
Vendor Advisory: https://phabricator.wikimedia.org/T285159
Restart Required: No
Instructions:
1. Backup your MediaWiki installation. 2. Update to patched version using your package manager or manual download. 3. Run update.php if database schema changes are needed.
🔧 Temporary Workarounds
Filter X-Forwarded-For Headers
allConfigure web server or reverse proxy to strip or validate X-Forwarded-For headers from untrusted sources.
# Apache: SetEnvIf X-Forwarded-For "^.*$" bad_header=1
# Nginx: proxy_set_header X-Forwarded-For $remote_addr;
Disable Auto-block Feature
allTemporarily disable MediaWiki's auto-block functionality until patched.
# In LocalSettings.php: $wgBlockDisablesLogin = false;
🧯 If You Can't Patch
- Implement strict IP validation at reverse proxy/load balancer level
- Monitor and audit auto-block logs for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version against affected ranges. Review if $wgUsePrivateIPs or similar settings enable X-Forwarded-For processing.Check Version:
php maintenance/run.php ./includes/DefaultSettings.php | grep wgVersionVerify Fix Applied:
Confirm MediaWiki version is 1.35.10+, 1.38.6+, or 1.39.3+. Test with crafted X-Forwarded-For headers to ensure no auto-block occurs.📡 Detection & Monitoring
Log Indicators:
- Unexpected auto-block entries in MediaWiki logs
- Multiple IP blocks from single source IP
- X-Forwarded-For header patterns matching internal IPs
Network Indicators:
- HTTP requests with spoofed X-Forwarded-For headers
- Rapid succession of blocking events
SIEM Query:
source="mediawiki.log" AND "autoblock" AND ("X-Forwarded-For" OR "xff")🔗 References
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39
- https://lists.debian.org/debian-lts-announce/2023/08/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONWHGOBFD6CQAEGOP5O375XAP2N6RUHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/
- https://phabricator.wikimedia.org/T285159
- https://www.debian.org/security/2023/dsa-5447
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39
- https://lists.debian.org/debian-lts-announce/2023/08/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONWHGOBFD6CQAEGOP5O375XAP2N6RUHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/
- https://phabricator.wikimedia.org/T285159
- https://www.debian.org/security/2023/dsa-5447
- https://phabricator.wikimedia.org/T285159
