CVE-2023-45363
📋 TL;DR
This vulnerability in MediaWiki's ApiPageSet.php allows attackers to trigger an infinite loop when querying pages with specific redirect and title conversion parameters, causing denial of service through RequestTimeoutException. It affects MediaWiki installations with language variants enabled. All MediaWiki instances within affected version ranges are vulnerable if the API is accessible.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for MediaWiki instance due to resource exhaustion from infinite loop, potentially affecting all users and functionality.
Likely Case
Temporary service degradation or unavailability for specific API endpoints, impacting users trying to access affected pages.
If Mitigated
Minimal impact with proper rate limiting, request timeouts, and monitoring in place to detect and block malicious requests.
🎯 Exploit Status
Exploitation requires crafting specific API requests with redirect and converttitles parameters targeting pages with language variants.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.35.12, 1.39.5, or 1.40.1
Vendor Advisory: https://phabricator.wikimedia.org/T333050
Restart Required: No
Instructions:
1. Backup your MediaWiki installation and database. 2. Download and install the patched version from mediawiki.org. 3. Run update.php maintenance script. 4. Verify functionality.
🔧 Temporary Workarounds
Disable Language Variants
allTemporarily disable language variants feature to prevent exploitation.
Edit LocalSettings.php and add: $wgUsePigLatinVariant = false;
API Request Filtering
allImplement web application firewall rules to block malicious API requests with specific redirect parameters.
🧯 If You Can't Patch
- Implement strict rate limiting on API endpoints
- Deploy web application firewall with rules to detect and block infinite loop patterns
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version via Special:Version page or by examining includes/DefaultSettings.php for MW_VERSION.Check Version:
grep 'MW_VERSION' includes/DefaultSettings.phpVerify Fix Applied:
Verify version is 1.35.12, 1.39.5, 1.40.1 or later, and test API requests with redirect and converttitles parameters no longer cause timeouts.📡 Detection & Monitoring
Log Indicators:
- Multiple RequestTimeoutException entries in MediaWiki debug logs
- High CPU usage from Apache/PHP processes
- Repeated API requests with redirect=* and converttitles parameters
Network Indicators:
- Unusually high number of API requests to pages with language variants
- Requests timing out with 504 errors
SIEM Query:
source="mediawiki.log" AND "RequestTimeoutException" AND "ApiPageSet"🔗 References
- https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html
- https://phabricator.wikimedia.org/T333050
- https://www.debian.org/security/2023/dsa-5520
- https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html
- https://phabricator.wikimedia.org/T333050
- https://www.debian.org/security/2023/dsa-5520
