CVE CyberSecurity Database News

CVE-2023-45361 - Uncaught MalformedTitleException in MediaWiki’s Vector Skin Leads to Broken Pages

Poster -

MediaWiki is the backbone of Wikipedia and countless other wikis across the world. It’s a big, open-source project, always improving—but sometimes, security issues sneak in. CVE-2023-45361 is one such issue: a bug found in the Vector Skin component within the MediaWiki software, affecting versions before 1.39.5 and 1.40.x before 1.40.1. In simple terms, it lets certain broken web pages appear, because a key error (MalformedTitleException) goes uncaught. Let’s break down what happened, see example code, understand the risk, and talk about fixes.

Where’s the Problem?

The bug sits in VectorComponentUserLinks.php, part of the Vector skin—the default look used by most MediaWiki sites, including Wikipedia. This file handles rendering user links at the top of wiki pages.

One job here is to build links to intro pages (vector-intro-page). But if someone passes a messed-up page title (called a *malformed title*), the code tries to process it, hits a problem, and throws a special error (MalformedTitleException). Here’s the kicker: the code does not catch this error. That means instead of showing a “Page Not Found” or similar friendly message, MediaWiki just stops working at that point and displays a broken page to users.

Here’s a simplified example of the problematic part based on upstream code

// Inside VectorComponentUserLinks.php (before the fix)

$title = Title::newFromText( $vectorIntroPage );

$linkRenderer = MediaWiki\MediaWikiServices::getInstance()
    ->getLinkRenderer();
$link = $linkRenderer->makeLink( $title );

If $vectorIntroPage has a bad value (like [[Bad:Title]]), Title::newFromText() throws a MalformedTitleException. But since there’s no try/catch block, this exception bubbles up and breaks the whole request, leading to an ugly error page or a web server 500 error.

How Can Attackers Exploit This?

This isn’t a classic “hack-in-and-take-over” flaw. Instead, it’s a Denial-of-Service (DoS) vector: anyone able to control or influence the $vectorIntroPage value (such as an administrator misconfiguration or a crafted request) can force site visitors to see broken pages.

For example, a misconfigured site, or a malicious user who can change certain MediaWiki settings (like $wgVectorIntroPage), might set the value to something unusual like:

[[This:Is@not-a-title]]

When the Vector skin tries to render the page, the malformed title triggers the exception, MediaWiki doesn’t handle it, and the user gets a confusing error instead of a normal interface.

Technical Details and Proof-of-Concept

A quick proof-of-concept: as a site admin, edit your LocalSettings.php to set the intro page to a bad title:

$wgVectorIntroPage = "!!!invalid-title%%%";

Visit your wiki. Instead of a normal page, you might see something like

[PHP Fatal error: Uncaught MediaWiki\\Title\\MalformedTitleException ...]

The Fix

The MediaWiki team fixed this by catching the MalformedTitleException in the relevant code. Here’s how it looks with the patch added:

try {
    $title = Title::newFromText( $vectorIntroPage );
} catch ( MalformedTitleException $ex ) {
    // Handle the error gracefully, maybe skip the intro link
    $title = null;
}

With this fix, even if someone sets a bad intro page, the skin *skips* the broken link rather than nuking the entire page.

What Should You Do?

If you’re running MediaWiki under the affected versions (before 1.39.5 or 1.40.x before 1.40.1), upgrade immediately!
If you can’t upgrade right now, check that your $wgVectorIntroPage value is clean and doesn’t contain strange characters.

References

- Official MediaWiki Security Release Notes
- CVE-2023-45361 at NVD
- Upstream Patch Diff

Wrap-up

CVE-2023-45361 is a good example of how small mistakes can have annoying or even risky consequences. It’s not an instant takeover bug, but can break your wiki’s look and feel—and potentially frustrate users or admins. Stay up to date with MediaWiki releases, and catch those exceptions in your PHP code!

Have questions or want to learn more? Check the MediaWiki Security FAQ.

Timeline

Published on: 10/09/2024 06:15:13 UTC
Last modified on: 10/10/2024 12:51:56 UTC