CVE CyberSecurity Database News

CVE-2022-41766 - Username Disclosure via Rollback in MediaWiki (Explained with Example and Exploit Details)

Poster -

CVE-2022-41766 is a privacy vulnerability found in MediaWiki, the popular open-source wiki platform that powers sites like Wikipedia and many others. This security issue is present in all versions of MediaWiki before 1.35.8, 1.37.x before 1.37.5, and 1.38.x before 1.38.3. The problem is connected to the action=rollback feature. When someone tries to revert a page and that revert can't be performed (like if it's already reverted), MediaWiki shows a message (alreadyrolled)—and that message can reveal the username of a deleted or suppressed revision. This is a privacy leak since even admins shouldn't see usernames of suppressed accounts.

If you run a wiki with sensitive or private information, you need to patch immediately! Let’s break down what happened, how it works, and how to fix it—using simple language and code examples.

What Is action=rollback in MediaWiki?

When you manage a wiki, you want to be able to undo spam and vandalism quickly. The rollback feature lets authorized users revert all edits made by the last editor on a page, with the click of a button. Usually, there’s no privacy concern, except when usernames of deleted/suppressed users show up.

Here is what a typical rollback URL looks like

https://your-wiki.org/index.php?title=PageName&action=rollback&from=VandalUserName&token=...

The Vulnerability: How Username Disclosure Happens

- MediaWiki has a system for "revision delete" or "suppression", designed to hide damaging, legally sensitive, or private info, including the usernames of editors.
- When rolling back is attempted after the target has been deleted/suppressed, MediaWiki checks if rollback is possible. If not, it shows an alreadyrolled message, which may include the real username of the (now hidden) editor.

Another admin tries to rollback to before BadGuy's edits.

4. The rollback fails—*but the error message still shows “already rolled back by BadGuy”, even though their name is meant to be private!*

Code Snippet: Understanding the Problem

The key code responsible is in MediaWiki’s core in the RollbackPage.php logic, which manages the rollback action and the message output.

Here is a simplified version of what the problematic logic looks like in PHP (not the exact lines, but a representation for clarity):

// This is pseudo-code to show the logic
$user = $revision->getUserText(); // May be a suppressed user!

if ($alreadyRolledBack) {
    // Vulnerable: leaks user name even if revision is suppressed
    $output->addWikiMsg(
        'alreadyrolled',
        $targetPage->getPrefixedText(),
        $user // <-- Unintended info leak!
    );
}

What should happen: if the user is suppressed, this message should *not* display their name.

Exploit Details: How Attackers Could Abuse This

Who can exploit: Any user who can use rollback or views rollback messages (often admins, but sometimes broader).

Attack vector

- The attacker (or any curious user) triggers a rollback on a page with previously deleted/suppressed revisions.
- When the error shows, the “alreadyrolled” message discloses the username included in a removed revision.
- This may leak usernames of sockpuppet/vandal accounts, editors under suppression, or names ordered legally hidden.

Here’s how a script could harvest names

import requests

url = 'https://your-wiki.org/index.php?title=SensitivePage&action=rollback&from=SomeoneSuppressed&token=...';

# Supply a valid CSRF token and session cookies if needed
r = requests.get(url, cookies={'...': '...'})
if 'already rolled back by' in r.text:
    print('LEAK:', r.text)

*Note: This is for demonstration; don’t use it maliciously!*

1.38.3 and later

Upgrade as soon as possible!  
If you cannot upgrade, you can patch the template/code to avoid showing usernames in the alreadyrolled message. For custom code, always use the function:

$user = $revision->getUserText( RevisionRecord::FOR_THIS_USER, $currentUser );

Update MediaWiki to a safe version (>=1.35.8, >=1.37.5, >=1.38.3).

2. Audit suppressed/deleted revisions for accidental info exposure.

Follow the security mailing lists for updates:

https://lists.wikimedia.org/postorius/lists/mediawiki-announce.lists.wikimedia.org/

References (Original & Further Reading)

- Security announcement from MediaWiki
- MediaWiki Security Advisories
- Phabricator ticket - Full technical discussion
- CVE list - NIST/NVD record

Final thoughts

Highly sensitive wikis (corporate, educational, or community) must stay on top of privacy bugs. Even minor leaks can have big impacts. Always keep your MediaWiki up to date and watch for any messages that might leak more details than intended.

*Be safe, update soon, and review your privacy assumptions!*

Timeline

Published on: 05/29/2023 21:15:00 UTC
Last modified on: 06/05/2023 14:24:00 UTC