Headline
CVE-2022-28209: ⚓ T304126 One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209)
An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.
One of the checks for ‘override-antispoof’ permission in the AntiSpoof extension is inverted, here: https://github.com/wikimedia/mediawiki-extensions-AntiSpoof/blob/7a5fc55dc31a0ab654a80a0fa6293027293c5b7c/includes/AntiSpoofPreAuthenticationProvider.php#L145
This might not be a real security issue – it looks like the faulty code path is only used for displaying UI messages (JS checks on Special:CreateAccount), and not for actually creating accounts. But I didn’t go through everything to prove that for sure, so I’m filing as a security task just in case.
It’s also not reproducible on Wikimedia wikis, because the anti-spoof checks there are handled by code in CentralAuth, which doesn’t have the bug: https://github.com/wikimedia/mediawiki-extensions-CentralAuth/blob/061b493dc96a874bb49e1e67c10e416fce6040be/includes/CentralAuthPrimaryAuthenticationProvider.php#L512
This has been introduced in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AntiSpoof/+/618623, by accidentally removing a ! to negate a condition.
I discovered the problem while testing a patch for T167163.
Related news
Gentoo Linux Security Advisory 202305-24 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected.