MediaWiki DiscordNotifications Extension Denial-of-Service, Server-Side Request Forgery, and Possible Remote Code Execution Vulnerability

A vulnerability in the DiscordNotifications extension for MediaWiki allows users to send requests to arbitrary URLs via curl or file_get_contents. This is possible through user-controlled webhook URL settings. The vulnerability can lead to denial-of-service by causing the server to process large files. Additionally, it could be exploited for server-side request forgery if internal unprotected APIs are accessible via HTTP POST, potentially leading to remote code execution. The issue affects versions of the DiscordNotifications extension prior to the patch in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.

Impact

Exploitation can cause a denial-of-service condition on the server, with additional risks of server-side request forgery and possibly remote code execution, depending on the availability of internal unprotected APIs.

Remediation

Users can upgrade to version 1f20d850cbcce5b15951c7c6127b87b927a5415e or later. If an immediate upgrade is not possible, users can disable the extension or restrict user access to the webhook URL settings.