Draft FAQ for {T297322}. Split out of {T292230}.
```
== What is the issue? ==
A series of vulnerabilities have been found in MediaWiki that allow for using actions on public pages in private wikis to leak the contents of private pages, among other actions.
* CVE-2021-44857: The "undo" feature (<code>action=edit&undo=##&undoafter=###</code>) allowed an attacker to view the contents of arbitrary revisions, regardless of whether they had permissions to do so. This was also found in the "mcrundo" and "mcrrestore" actions (<code>action=mcrundo</code> and <code>action=mcrrestore</code>).
* CVE-2021-45038: The "rollback" feature (<code>action=rollback</code>) could be passed a specially crafted parameter that allowed an attacker to view the contents of arbitrary pages, regardless of whether they had permissions to do so.
* CVE-2021-44858: The "mcrundo" and "mcrrestore" actions (<code>action=mcrundo</code> and <code>action=mcrrestore</code>) did not properly check for editing permissions, and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects public wikis too.
== I don't have time to patch, how do I disable this? ==
Add the following to your LocalSettings.php:
<syntaxhighlight lang="php">
$wgActions['mcrundo'] = false;
$wgActions['mcrrestore'] = false;
</syntaxhighlight>
If your wiki is private (requires login to view pages) you will also need to set:
<syntaxhighlight lang="php">
$wgWhitelistRead = [];
$wgWhitelistReadRegexp = [];
</syntaxhighlight>
It should fully disable the vulnerable code.
If you used $wgWhitelistRead to allow logged out users to see the main page with help text, you can instead move that help text to the MediaWiki:Loginreqpagetext message, which is shown on the "login required" error.
== Was I affected? ==
* If your wiki is public (anyone can read pages): yes
* If your wiki is private, and $wgWhitelistRead or $wgWhitelistReadRegexp has at least one page: yes
If you use an extension like [[Extension:Lockdown|Lockdown]] to make some pages unreadable to some users, you are also likely affected.
== What versions are vulnerable? ==
All MediaWiki versions since 1.23.0 are vulnerable to the private wiki read permissions bypasses (CVE-2021-44857, CVE-2021-45038)
All MediaWiki versions since 1.32.0 are vulnerable to the editing permissions bypass. (CVE-2021-44858)
== How can I see if someone exploited it on my wiki? ==
Look for <code>action=mcrundo</code> or <code>action=mcrrestore</code> in your access logs. Unless you specifically enabled an extension that uses [[Multi-Content Revisions|multi-content revisions]], there is no legitimate use for these actions.
In addition, look for <code>action=edit&undo=###&undoafter=###</code> requests and check whether the revision ids belong to a different title than the page being edited.
This bug does not cause any data loss, so any write actions an attacker could have taken will be recorded in page history like all other edits.
== Credit ==
The issue was discovered by [https://phabricator.wikimedia.org/p/Dylsss/ Dylsss], many thanks to them for identifying and reporting the issue. If you find a bug in MediaWiki, please see the process for [[reporting security bugs]].
```