Authentication Users Authorized to Create Wiki Pages

Since I am starting this a bit behind the curve, I have a back log of 5-6 write ups at this point I will be catching up on. Below is the first vulnerability of the 2022 year submitted on 1/14/22.

The target in this case was using a popular open-source Wiki tool, MediaWiki https://www.mediawiki.org/wiki/MediaWiki, you know, the one used by Wikipedia?

Anonymous users on the internet, good folks like you and me, could register for accounts to the site without any additional authorization. I get that this is the spirit of MediaWiki - crowd sourcing a braintrust to build a Wiki. However, in this case I don't think that was the intention of this organization, they just wanted a repository for their data so the anonymous registration is a definite issue but they ultimately haven't seen it that way, yet.

As per my usual process on well-known technology stacks, I started skimming through CVE's for MediaWiki on https://cve.mitre.org/cve/. I found that there were a large number of vulnerabilities although there were few PoCs for any of them. One of the vulnerabilities I found was related to an arbitrary file read through the application's API. I attempted that exploit and landed on a page that was not found. What was weird about this error page is that it said, "There is currently no text in this page. You can search for this page title in other pages, search the related logs, or create this page."

I found this to be a major problem for an organization with a reputation to uphold. Luckily the target organization did too. As I mentioned above, this wouldn't be as big of a problem for an organization like MediaWiki or Wikipedia but a private organization who didn't intend to let EVERYONE contribute, its a problem.

I reported this issue as an Access Control Violation because this level of content creation on an organization website should be gated behind some sort of authorization access control. Unfortunately, there isn't much in the way of authorizations for users in MediaWiki. I explained to the organization that MediaWiki even states this on their page and recommends that organizations with more fine-grained control requirements use a different Content Management System (CMS).

This was my first submission and vuln of 2022 with a CVSS score of 6.5/10. I was awarded $522.50 for this vuln. Lesson learned here - pay attention to subtle differences in error messages, it could have be easy as a security researcher to see that the page didn't exist and move on without seeing the "create this page" option.