Wikimedia Foundation MediaWiki Autocreation Login Vulnerability Leading to Security Reauthentication Issues

A vulnerability exists in Wikimedia Foundation MediaWiki versions prior to 1.39.13, 1.42.7, 1.43.2, and 1.44.0, where the autocreation of accounts is incorrectly treated as a login for security reauthentication purposes. This flaw allows an attacker with a CentralAuth session cookie to exploit the account creation process on wikis where the user has no local account. By getting an account autocreated, the attacker could then change credentials or perform other sensitive operations.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user credentials or other sensitive actions on behalf of the affected user.

Reproduction

To reproduce this vulnerability, log into a wiki where a CentralAuth account exists but has no local counterpart. Once logged in, the absence of a local account will trigger an autocreation of the account on that wiki. After the account is created, attempt to access a security-sensitive operation, such as changing a password. The system will not prompt for reauthentication, allowing for unauthorized changes to be made.

Remediation

Users can update to MediaWiki versions 1.39.13, 1.42.7, 1.43.2, or 1.44.0, where this vulnerability has been addressed.