This results in an infinite loop, because the parser will try to parse the message again. If a user with the editinterface permission edits a page, and that page is linked to via interwiki, the parser will try to parse the message for the mainpage, leading to an infinite loop.
Unfortunately, these issues cannot be completely fixed. The only fix is to not allow anonymous users to add links to other wikis, as these issues can still be triggered. All 1.36.x versions and MediaWiki before 1.36.4 are vulnerable. All 1.37.x versions and MediaWiki before 1.37.2 are vulnerable. All 1.x versions and MediaWiki before 1.34.9 are vulnerable. All users running any version prior to v1.36.4 are vulnerable. All users running 1.x versions and MediaWiki before 1.34.9 are vulnerable. All 1.x versions and MediaWiki before 1.32.5 are vulnerable. All users running any version prior to v1.36.4 are vulnerable. All 1.x versions and MediaWiki before 1.32.5 are vulnerable. All users running any version prior to v1.36.4 are vulnerable. All 1.x versions and MediaWiki before 1.32.5 are vulnerable. All users running any version prior to v1.36.4 are vulnerable. -
How do I fix it?
The only fix is to not allow anonymous users to add links to other wikis.
What to do if you are affected?
If this vulnerability affects you, please update your MediaWiki software to the latest version. For 1.x versions and MediaWiki before 1.32.5, you need to upgrade to the newest version of MediaWiki which is 1.36 or later.
How to fix the vulnerability
This vulnerability can be fixed by updating to the latest release versions of MediaWiki: v1.36.4 and MediaWiki 1.37.2, or by upgrading to MediaWiki 1.38 or newer.
The vulnerability is fixed in the current release versions of MediaWiki: v1.36.x, 1.37.x, and 1.38-rc1 (the next version of MediaWiki)
References:
* https://www.mediawiki.org/wiki/Manual:Interwiki
* https://www.mediawiki.org/wiki/Help:Interwiki
1) This is a vulnerability on the MediaWiki core code and cannot be fixed. 2) All 1.36.x versions and MediaWiki before 1.36.4 are vulnerable, all 1.37.x versions and MediaWiki before 1.37.2 are vulnerable, all 1.x versions and MediaWiki before 1.34.9 are vulnerable, all users running any version prior to v1.36.4 are vulnerable, all users running any version prior to v1.36.4 are vulnerable, all users running any version prior to v1.36..4 are vulnerable, all users running any version prior to v1.32..5 are vulnerable, etc., etc., etc., etc., etc., etc., etc...
Timeline
Published on: 09/19/2022 21:15:00 UTC
Last modified on: 09/22/2022 17:15:00 UTC