CVE-2017-0371 in MediaWiki
Summary
by MITRE • 02/19/2022
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability exists in MediaWiki versions prior to specific patched releases, creating a significant privacy and information disclosure risk for wiki administrators and their users. The flaw stems from improper handling of CSS style attributes within HTML elements, specifically when processing the title attribute of DIV elements that contain attacker-controlled URLs. This vulnerability enables remote attackers to extract visitor IP addresses through a sophisticated cross-site scripting technique that leverages CSS background-image properties and the attr() CSS function.
The technical implementation of this attack exploits the CSS attr() function which can reference HTML attributes including the title attribute. When an attacker places a malicious URL within the title attribute of a DIV element and sets the style attribute to background-image: attr(title url), the browser processes this CSS rule and attempts to fetch the referenced URL. This process occurs within the context of the victim's browser session, allowing the attacker to make requests to internal or external resources that would otherwise be protected by network boundaries. The vulnerability is particularly dangerous because it can be triggered through user-generated content, making it difficult to prevent through traditional network security measures.
The operational impact of this vulnerability extends beyond simple IP address disclosure, as it represents a sophisticated method of information leakage that can be used to map network topology, identify internal services, or gather intelligence about user behavior. Attackers can leverage this technique to discover internal IP ranges, map network infrastructure, or even perform reconnaissance against internal systems that may be accessible from the wiki environment. This vulnerability directly violates the principle of least privilege and can be exploited to bypass network segmentation controls that rely on external IP address hiding. The attack vector demonstrates how CSS-based techniques can be used to perform information leakage attacks that are difficult to detect through conventional security monitoring approaches.
Organizations using affected MediaWiki versions should immediately apply the appropriate security patches to mitigate this vulnerability. The remediation process requires updating to MediaWiki 1.23.16, 1.27.2, or 1.28.1 respectively, depending on the current version in use. Additionally, administrators should implement strict input validation for all user-generated content, particularly focusing on CSS attribute handling and HTML element attributes. This vulnerability is classified under CWE-200 as "Information Exposure" and can be categorized under ATT&CK technique T1071.004 for "Application Layer Protocol: DNS" and T1046 for "Network Service Discovery. Security teams should monitor for potential exploitation attempts and consider implementing web application firewalls with specific rules to block CSS attribute manipulation patterns that could lead to similar information disclosure vulnerabilities.