Reported by Tony Nasr to security@
Dear Security Team, Hope you are well and safe Need your help to request CVE ID: I discovered a novel open redirect vulnerability in previous MediaWiki versions 1.27.4 up to 1.31.5 Please confirm it and request a CVE ID at https://cveform.mitre.org by attributing the discovery credit to me. You can find a detailed Markdown report report.md of the finding on this private Google Drive Folder https://drive.google.com/drive/folders/1tDZUlocekpaU0rQlMqP4PiOMvQb5k-8n My acknowledgement details: Full name: Tony Marcel Nasr Address: https://www.linkedin.com/in/tony-nasr Please confirm the receipt of this email. Looking forward to hearing from you Best Regards Tony Nasr
Reproduction
Hello security team, Hope you are well and safe # Summary I found an Open Redirect Vulnerability in previous MediaWiki versions. Please I require your help to confirm it and request CVE ID. Note that I checked and this has not been reported before or assigned CVE ID. # Vulnerability Type Unvalidated URL Open Redirect # Details - Vulnerable MediaWiki versions: 1.27.4 up to 1.31.5 (possibly more versions are affected but I only test those) - Vulnerable URL path: `https://HOST/index.php` - Vulnerable HTTP GET Parameters: `title` `action` `redlink` - Full URL containing payload place-holder: `https://HOST/index.php?title=/[Redirect-URL]&action=edit&redlink=1` - Proof of Concept example: (redirect URL is `www.google.com`): `https://HOST/index.php?title=/www.google.com&action=edit&redlink=1` # Steps to Reproduce 1. Navigate to `https://HOST/Main_Page` 2. Click on "Log in" located at the top right side of the page. You will be redirected to `https://HOST/index.php?title=Special:UserLogin&returnto=Main+Page` 3. Now modify the URL so that it becomes as follows `https://HOST/index.php?title=Special:UseLogin&returnto=Aaaaaa` then load this new URL in the browser. You will be presented with a new webpage having the below content saying "No such special page" 4. On this new page, hover over "Aaaaaa" with mouse pointer and right-click to copy the hyperlink address which should look as follows `https://HOST/index.php?title=Aaaaaa&action=edit&redlink=1` 5. Now paste this copied URL into a new browser tab then modify the title parameter value so that the new URL looks as follows `https://HOST/index.php?title=/www.google.com&action=edit&redlink=1` 6. Load this new URL in the browser tab and notice how we are redirected to `https://www.google.com` # Attack Scenario A malicious attacker could craft a URL having as payload a malicious URL that they control and they would send it to victims. Once they visit this link they will be redirected to the controlled domain that the attacker owns and conduct further attacks from there. # Vulnerability Impact Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. # Thanks & Dedication - I am thankful to God, to my wonderful girl for standing by me and for her boundless love & support and to my parents for their continuous support. - Cheers to the Security team for their hard work keeping all the platforms secure.
TLDR version for reproduction is go to a url like https://wow.gamepedia.com/index.php?title=/example.org&action=edit&redlink=1 and you will end up at example.org
Without the redlink=1 parameter it doesn't work, so if the page existed on the wiki, it wouldn't be redirected either.