Wikimedia Foundation MediaWiki Improper Permission Handling Vulnerability Allowing Reupload Bypass

A vulnerability exists in Wikimedia Foundation MediaWiki versions prior to 1.39.12, 1.42.6, and 1.43.1, allowing users to bypass file reupload restrictions. The issue arises in the file revert action, where the system incorrectly attributes the latest file version to the user who performed the revert. This misattribution enables users with only 'reupload-own' rights to reupload files they did not originally upload, effectively circumventing the intended permission controls.

Impact

Exploitation of this vulnerability allows users to bypass file reupload restrictions, potentially leading to unauthorized overwriting of files.

Reproduction

To reproduce this vulnerability, a user must have 'upload' and 'reupload-own' rights, but not the 'reupload' right. After uploading a file, the user can revert it to an earlier version. This action will update the file's attribution, making the user appear as the uploader of the latest version. Once the file has been reverted, the user can then reupload it, despite lacking the necessary permissions to do so originally.

Remediation

Users can update to MediaWiki versions 1.39.12, 1.42.6, or 1.43.1, where this vulnerability has been addressed.