CVE-2024-40601
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the MediaWikiChat extension for MediaWiki. Attackers can trick authenticated users into performing unauthorized actions via the API modules. All MediaWiki installations using the vulnerable MediaWikiChat extension are affected.
💻 Affected Systems
- MediaWiki with MediaWikiChat extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate chat settings, delete conversations, or perform other administrative actions through authenticated users' sessions, potentially disrupting communication or modifying system behavior.
Likely Case
Attackers create malicious pages that trigger CSRF requests when visited by authenticated users, leading to unauthorized chat modifications or data manipulation.
If Mitigated
With proper CSRF protections and user awareness, impact is limited to unsuccessful exploitation attempts with no data compromise.
🎯 Exploit Status
CSRF attacks typically require social engineering to trick authenticated users into visiting malicious pages. The vulnerability is in API endpoints that lack proper CSRF protections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check MediaWikiChat extension updates or MediaWiki 1.42.2+
Vendor Advisory: https://phabricator.wikimedia.org/T362588
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.42.2 or later. 2. Alternatively, update the MediaWikiChat extension to a patched version if available separately. 3. Verify the fix by checking that CSRF tokens are required for API requests.
🔧 Temporary Workarounds
Disable MediaWikiChat Extension
allTemporarily disable the vulnerable extension until patched
Edit LocalSettings.php and remove or comment out: wfLoadExtension('MediaWikiChat');
Implement CSRF Protection at Web Server Level
allAdd CSRF token validation via web server configuration or middleware
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and require CSRF tokens for all state-changing requests
- Educate users about phishing risks and implement additional authentication for sensitive actions
🔍 How to Verify
Check if Vulnerable:
Check if MediaWiki version is 1.42.1 or earlier AND MediaWikiChat extension is installed/enabled. Review API endpoints for missing CSRF protections.Check Version:
Check MediaWiki version via Special:Version page or by examining includes/DefaultSettings.phpVerify Fix Applied:
Verify that API requests now require valid CSRF tokens and test that unauthorized requests are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to MediaWikiChat endpoints without referrer validation
- Multiple failed API requests indicating CSRF attempts
Network Indicators:
- Requests to MediaWikiChat API endpoints from unexpected referrers or without CSRF tokens
SIEM Query:
source="mediawiki" AND (uri_path="/api.php" AND parameters CONTAINS "MediaWikiChat") AND (referrer NOT IN allowed_domains OR csrf_token="")