Wikimedia MediaWiki GlobalBlocking Extension Sensitive Data Exposure Vulnerability

A vulnerability in the GlobalBlocking Extension of Wikimedia's MediaWiki allows unauthorized retrieval of embedded sensitive data. This issue affects the master branch of the extension. When a global block is applied to a user, the associated IP address can be exposed through the 'globalblocks' API, revealing details of the autoblock. This vulnerability was present in a beta environment but not in any production release.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, specifically IP addresses of users under global block, which could be misused to infer editing behavior or privacy-related details.

Reproduction

To reproduce this vulnerability, log into a wiki with GlobalBlocking and CheckUser features. After ensuring that your IP is recorded by CheckUser, an admin can create a global block for a user. By then querying the 'globalblocks' API with the username and IP, the response will include both the global block and the corresponding autoblock, thus exposing the sensitive data.

Remediation

Users can update to the patched version of the GlobalBlocking Extension, which is available on the Wikimedia Gerrit repository.