MediaWiki Incorrect Default Permissions Vulnerability - CVE-2011-4361
MediaWiki before 1.17.1 does not check for read permission before handling actionajax requests which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function or by (2) leveraging an extension as demonstrated by the CategoryTree ExtTab and InlineEditor extensions.
