CVE-2024-40603
📋 TL;DR
This CSRF vulnerability in the ArticleRatings MediaWiki extension allows attackers to manipulate article rating data without user consent. Attackers can craft malicious links or web pages that, when visited by authenticated users, automatically submit rating changes. All MediaWiki installations using the ArticleRatings extension through version 1.42.1 are affected.
💻 Affected Systems
- MediaWiki ArticleRatings extension
📦 What is this software?
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically manipulate article ratings across the wiki, undermining content credibility and user trust in the rating system.
Likely Case
Targeted manipulation of specific article ratings through phishing or malicious links, potentially influencing user perceptions of content quality.
If Mitigated
With proper CSRF protections and user awareness, impact is limited to isolated incidents that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated user sessions. CSRF attacks are well-understood and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ArticleRatings extension update (check MediaWiki extension repository)
Vendor Advisory: https://phabricator.wikimedia.org/T363884
Restart Required: No
Instructions:
1. Update the ArticleRatings extension to the patched version. 2. Clear MediaWiki cache. 3. Verify the Special:ChangeRating endpoint now requires POST requests with CSRF tokens.
🔧 Temporary Workarounds
Disable ArticleRatings extension
allTemporarily disable the vulnerable extension until patched
Edit LocalSettings.php and remove or comment out: wfLoadExtension('ArticleRatings');
Implement CSRF protection middleware
allAdd custom CSRF validation for Special:ChangeRating endpoint
Implement custom MediaWiki hook to validate CSRF tokens for rating changes
🧯 If You Can't Patch
- Implement web application firewall rules to block GET requests to Special:ChangeRating
- Monitor and alert on rating changes from unexpected sources or patterns
🔍 How to Verify
Check if Vulnerable:
Check if ArticleRatings extension is enabled and version is 1.42.1 or earlier. Test if Special:ChangeRating accepts GET requests without CSRF tokens.Check Version:
Check MediaWiki's Special:Version page or extension configuration filesVerify Fix Applied:
Verify Special:ChangeRating now requires POST requests with valid CSRF tokens. Test that GET requests to this endpoint are rejected.📡 Detection & Monitoring
Log Indicators:
- GET requests to Special:ChangeRating endpoint
- Rapid rating changes from single IPs or users
- Rating changes without corresponding page views
Network Indicators:
- External domains making requests to Special:ChangeRating
- Suspicious referrer headers in rating change requests
SIEM Query:
source="mediawiki.log" AND (uri_path="/Special:ChangeRating" AND http_method="GET")