CVE-2023-45361: Uncaught MalformedTitleException in MediaWiki's Vector Skin Component Leads to Incorrect Web Pages

An issue was discovered in the VectorComponentUserLinks.php file of the Vector skin component in MediaWiki before 1.39.5 and 1.40.x before 1.40.1 with the identifier CVE-2023-45361. When handling the vector-intro-page MalformedTitleException, the exception is not caught if it's not a valid title, causing incorrect web pages to be displayed.

Background

MediaWiki is a popular open-source wiki platform that powers websites like Wikipedia, Wikibooks, and Wikinews. As a highly customizable platform, it allows users to create and edit content collaboratively. The Vector skin is a responsive web design theme, favored for its modern aesthetics and user-friendly interface, which comes pre-installed in MediaWiki.

Details

In the file VectorComponentUserLinks.php of the Vector skin component, there is a flaw in the logic that causes MalformedTitleException to be uncaught when an invalid title is encountered. This can lead to the wrong content being displayed on web pages, potentially confusing or misleading users.

The code snippet below illustrates the issue in the VectorComponentUserLinks.php file, where the uncaught exception occurs during the execution:

public function __construct(
  Config $config,
  LinkRenderer $linkRenderer,
  User $user,
  TitleValue $titleValue,
  NamespaceInfo $namespaceInfo
) {
  ...
  try {
    $introTitle = Title::makeTitleSafe(8, $config->get('vector-intro-page'));
    ...
  } catch (MalformedTitleException $e) {
    // The exception is not caught properly for invalid titles.
  }
  ...
}

As you can see, although a try block is in place, the catch block is empty, which means that the MalformedTitleException is not dealt with when a malformed title is encountered. The web page would go on to display inaccurate information, compromising the trustworthiness and reliability of the MediaWiki platform.

Links to original references

- CVE-2023-45361: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45361
- MediaWiki Releases: https://www.mediawiki.org/wiki/MediaWiki_1.40#MediaWiki_1.40.1
- MediaWiki: https://www.mediawiki.org/
- Vector Skin: https://www.mediawiki.org/wiki/Skin:Vector

Exploit Details

To exploit this vulnerability, a malicious user would need to inject incorrect titles into the VectorComponentUserLinks.php file, which would return the wrong content and negatively impact the user experience.

However, there isn't a known exploit for this vulnerability at present, and it's worth mentioning that serious damage is less likely since the malformed titles would have to originate within the website's configuration. Website administrators should still take the necessary precautions to mitigate any potential risk.

Solution

To fix this issue, MediaWiki has released updates in version 1.39.5 and version 1.40.1. Website administrators are advised to upgrade their MediaWiki installations to these versions as soon as possible in order to prevent incorrect content from being displayed on their web pages.

The patch for this issue involves handling the MalformedTitleException properly within the catch block. This ensures that invalid titles are not displayed and the correct content is shown on the web pages.

Timeline

Published on: 10/09/2024 06:15:13 UTC
Last modified on: 10/10/2024 12:51:56 UTC