ManageWiki MediaWiki Extension Permission Bypass Vulnerability

A permission bypass vulnerability has been identified in the ManageWiki MediaWiki extension, affecting versions prior to commit 00bebea. The issue arises when a user enables a conflicting extension; a restricted extension is automatically disabled, even if the user lacks the ManageWiki-restricted right. This vulnerability can be exploited by users who do not have the necessary permissions to manage certain extensions, allowing them to inadvertently disable extensions that require specific rights.

Impact

Exploitation of this vulnerability leads to a permission bypass, allowing users to disable extensions that require certain permissions, without having the necessary rights themselves.

Remediation

Users can upgrade to version 00bebea or later. Alternatively, ensure that any extensions requiring specific permissions in '$wgManageWikiExtensions' also require the same permissions for managing any conflicting extensions.