Wikimedia Foundation MediaWiki Block List Information Disclosure Vulnerability

A vulnerability exists in Wikimedia Foundation MediaWiki versions 1.42.0 and later, related to the BlockListPager component. When MultiBlocks are enabled, users who are suppressed by a MultiBlock can have their hidden usernames revealed to other users who do not have the 'hideuser' right. This occurs because the BlockList interface displays 'unblock' and 'change block' links for suppressed users, exposing their usernames through the URLs of these actions.

Impact

Exploitation of this vulnerability allows for the unauthorized disclosure of suppressed usernames, undermining the privacy of users who are blocked with a hideuser block.

Reproduction

To reproduce this vulnerability, first log in as a user with the 'hideuser' right and add a block that hides the username. Then, log in as a user who has the block right but not the 'hideuser' right. When accessing the Special:BlockList, the hidden username can be seen by hovering over the 'remove block' or 'change block' action links for the block that was added.

Remediation

This vulnerability has been addressed in MediaWiki versions 1.43.2, 1.42.7, and 1.44.0.