CVE-2013-4302 in MediaWiki
Summary
by MITRE
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/24/2021
This vulnerability resides in the MediaWiki software ecosystem, specifically affecting versions prior to the mentioned patches across multiple release branches. The flaw manifests in seven distinct API endpoint files within the includes/api/ directory, creating a widespread impact across the platform's authentication and administrative functions. The vulnerability stems from improper handling of cross-site request forgery protection mechanisms when processing JSONP requests, allowing malicious actors to extract CSRF tokens that should normally remain protected within the secure context of legitimate user sessions.
The technical exploitation occurs through carefully crafted JSONP requests sent to the wiki/api.php endpoint, which enables attackers to bypass the CSRF protection system that typically requires tokens to be embedded within the same-origin context of legitimate requests. This weakness creates a pathway for unauthorized actions to be performed on behalf of authenticated users, particularly affecting critical administrative functions such as account creation, login operations, and user blocking mechanisms. The vulnerability operates at the application layer and leverages the inherent design flaw in how MediaWiki's API handles cross-origin requests, where the CSRF token generation and validation process becomes compromised when JSONP requests are processed.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it allows attackers to perform unauthorized administrative actions against MediaWiki installations. This includes creating malicious user accounts, blocking legitimate users, and potentially accessing deleted revision data through the ApiQueryDeletedrevs.php endpoint. The attack vector requires minimal privileges from the attacker as they can leverage existing authentication sessions to extract tokens, making the exploitation particularly dangerous for collaborative platforms where multiple users maintain administrative access. The vulnerability affects organizations running MediaWiki across various versions, creating a significant risk for content management systems that rely on proper CSRF protection for user safety and platform integrity.
Organizations should immediately apply the security patches released by MediaWiki for versions 1.19.8, 1.20.7, and 1.21.2 to remediate this vulnerability. The fix involves implementing proper token validation mechanisms that prevent JSONP requests from accessing CSRF tokens, ensuring that these security tokens remain properly scoped to their intended use cases. Security teams should also monitor their MediaWiki installations for any suspicious API activity patterns that might indicate attempted exploitation, particularly around authentication and administrative endpoints. This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and represents a critical gap in the software's security architecture that allows for bypass of fundamental protection mechanisms. The ATT&CK framework categorizes this under privilege escalation and credential access techniques, as it enables attackers to perform actions with elevated privileges through token manipulation.