How to remediate – MediaWiki Status Module Information Disclosure

1. Introduction

The MediaWiki Status Module Information Disclosure vulnerability allows unauthenticated access to API URLs associated with the SiteInfo module in a remote MediaWiki instance. This can expose server component information, web server configuration details and usage data which could aid an attacker planning an attack against the system. Confidentiality of server information is at risk.

2. Technical Explanation

The vulnerability occurs because the SiteInfo API endpoint isn’t adequately restricted. An attacker can query this endpoint to gather potentially sensitive details about the MediaWiki installation and its environment. There are no specific preconditions beyond network access to the MediaWiki instance. The Common Weakness Enumeration (CWE) identifier is 200: Improper Input Validation.

• Root cause: Insufficient restriction of access to the SiteInfo API endpoint.
• Exploit mechanism: An attacker sends a standard HTTP request to the SiteInfo API URL and receives detailed server information in response. For example, an attacker could use curl to query the API directly.
• Scope: All MediaWiki instances with the Status Module enabled are affected.

3. Detection and Assessment

Confirming vulnerability involves checking access to the SiteInfo API endpoint. A thorough assessment requires reviewing configuration files for restrictions.

• Quick checks: Use a web browser or curl to access the SiteInfo API URL (typically https://your-mediawiki-instance/api.php?action=siteinfo). If information is returned without authentication, the system is likely vulnerable.
• Scanning: Nessus plugin ID 16734 may detect this issue as an example.
• Logs and evidence: Examine web server access logs for requests to api.php?action=siteinfo from unauthenticated sources.

curl https://your-mediawiki-instance/api.php?action=siteinfo

4. Solution / Remediation Steps

The vulnerability is fixed by restricting access to the SiteInfo API endpoint or disabling the module.

4.1 Preparation

• No services need to be stopped for this change, but plan a maintenance window if you are modifying core configuration. A roll back plan is to restore the original configuration file.
• Changes should be reviewed and approved by a senior system administrator.

4.2 Implementation

1. Step 1: Edit your MediaWiki LocalSettings.php file.
2. Step 2: Add or modify the following line to restrict access by IP address (replace with your allowed IP range): $wgAPIAllowIP = '127.0.0.1/32'; Alternatively, disable the module using $wgModules['SiteInfo'] = false;
3. Step 3: Save the LocalSettings.php file.
4. Step 4: Clear MediaWiki’s cache to apply changes (typically via the web interface or command line).

4.3 Config or Code Example

Before

# No restriction on API access

After

$wgAPIAllowIP = '127.0.0.1/32'; # Restrict access to localhost only, or disable the module with $wgModules['SiteInfo'] = false;

4.4 Security Practices Relevant to This Vulnerability

Several security practices help prevent this type of issue.

• Practice 1: Least privilege – limiting access to sensitive APIs reduces the impact if compromised.
• Practice 2: Secure defaults – configuring restrictive default settings minimizes exposure.

4.5 Automation (Optional)

Automation is not generally suitable for this specific change due to configuration file complexity, but infrastructure-as-code tools can manage the LocalSettings.php file.

# Example Ansible task - use with caution and test thoroughly!
- name: Restrict API access in LocalSettings.php
  lineinfile:
    path: /path/to/mediawiki/LocalSettings.php
    regexp: '^# No restriction on API access'
    line: '$wgAPIAllowIP = '127.0.0.1/32';'
    state: present

5. Verification / Validation

Confirm the fix by verifying restricted access to the SiteInfo API endpoint.

• Post-fix check: Use curl from a non-allowed IP address to access the SiteInfo API URL (https://your-mediawiki-instance/api.php?action=siteinfo). You should receive an error message indicating access is denied.
• Re-test: Repeat the quick check from section 3. Access should now be blocked or return a different result if the module has been disabled.
• Monitoring: Monitor web server logs for failed requests to api.php?action=siteinfo from unauthorized sources as an example of regression detection.

curl https://your-mediawiki-instance/api.php?action=siteinfo # Should return an error message if access is restricted.

6. Preventive Measures and Monitoring

Regular security assessments and configuration reviews can prevent this issue.

• Baselines: Update your MediaWiki security baseline to include API access restrictions as a standard setting.
• Pipelines: Include static code analysis (SAST) in your CI pipeline to identify insecure configurations.
• Asset and patch process: Implement a regular review cycle for configuration changes, including MediaWiki settings.

7. Risks, Side Effects, and Roll Back

Restricting API access may impact legitimate integrations that rely on the SiteInfo endpoint.

• Risk or side effect 1: Legitimate applications using the API may be disrupted if their IP address is not allowed.
• Risk or side effect 2: Disabling the module will remove its functionality, potentially impacting users who rely on it.
• Roll back: Restore the original LocalSettings.php file from your backup. Clear MediaWiki’s cache to revert changes.

8. References and Resources

Link only to sources that match this exact vulnerability.

• Vendor advisory or bulletin: https://www.mediawiki.org/wiki/API:Siteinfo#Restrictions
• NVD or CVE entry: No specific CVE is assigned, but information can be found on security websites referencing this issue.
• Product or platform documentation relevant to the fix: https://www.mediawiki.org/wiki/Manual:Configuration_settings