CVE-2021-30153: VisualEditor Extension in MediaWiki Discloses Hidden User Information

A security issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. This vulnerability allows the disclosure of an existing hidden user’s existence when using VisualEditor to edit a user page. This bug impacts the security and privacy of hidden users.

Background

MediaWiki is a popular open-source wiki software that powers websites like Wikipedia. The VisualEditor extension for MediaWiki provides users with the ability to edit wiki pages using a graphical, user-friendly interface. In some cases, MediaWiki administrators may choose to hide certain user accounts to protect users' privacy or to prevent abuse. The vulnerability, however, allows the existence of hidden users to be disclosed when editing a user page with VisualEditor.

The vulnerability can be observed in the code of the ApiVisualEditor

public function execute() {
    //...
    $user = User::newFromName( $title->getText() );
    if ( $user && $user->getId() &&
        ( !$user->isHidden() || !$this->getUser()->isAllowed( 'hideuser' ) ) ) {
            $result->addValue( null, 'userid', $user->getId() );
    }
}

In this code snippet, the execute function checks whether a user is hidden or not. If the user is not hidden, the code adds the user's ID to the result object. However, if the user is hidden, the code still adds the user's ID to the result object if the current user is not allowed to hide users.

Exploit Details

The vulnerability can be exploited by any user with the ability to edit a wiki page using VisualEditor. To reproduce the issue:

Click on the "Edit" button to open VisualEditor.

4. Observe that the user page loads as if the hidden user exists, even though the user should remain hidden.

Mitigation

Administrators of MediaWiki websites should update their installations to MediaWiki 1.31.13 or 1.35.2 or later versions in order to protect against this vulnerability.

Original References

- CVE (Common Vulnerabilities and Exposures) details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30153
- VisualEditor extension for MediaWiki: https://www.mediawiki.org/wiki/Extension:VisualEditor
- Affected Releases: https://www.mediawiki.org/wiki/Version_lifecycle
- Solution / Patch: https://phabricator.wikimedia.org/T270062

Conclusion

CVE-2021-30153 is a security issue in the VisualEditor extension of MediaWiki that discloses the existence of hidden users. It is essential for administrators to upgrade their MediaWiki installations to 1.31.13 or 1.35.2 or later versions to safeguard their users' privacy and prevent possible abuse.

Timeline

Published on: 04/15/2023 20:16:00 UTC
Last modified on: 04/25/2023 18:12:00 UTC