MediaWiki chunked uploads security issue
Description
MediaWiki versions 1.19.0 through 1.19.6 and 1.20.0 through 1.20.5 contain a security bypass vulnerability in the chunked file upload feature accessible through the API. Security validation checks that normally prevent malicious file uploads are not executed when files are uploaded using the chunked upload method, allowing attackers to bypass file type restrictions and upload controls. This vulnerability affects all users with file upload permissions and has been present since the chunked upload feature was introduced in MediaWiki 1.19.
This issue was fixed in MediaWiki v1.20.6 and MediaWiki v1.19.7.
Remediation
Immediately upgrade to MediaWiki version 1.20.6 or later (for 1.20.x installations) or version 1.19.7 or later (for 1.19.x installations). Follow these steps:
1. Backup your installation: Create a complete backup of your MediaWiki files and database before upgrading.
2. Download the patched version: Obtain the appropriate fixed version from the official MediaWiki website.
3. Apply the upgrade: Follow the MediaWiki upgrade documentation to update your installation, ensuring all files are properly replaced.
4. Verify the fix: After upgrading, confirm the version number in Special:Version matches the patched release.
5. Review uploaded files: Audit files uploaded between the time chunked uploads were enabled and the patch application date for potentially malicious content.
If immediate upgrading is not possible, temporarily disable chunked uploads by restricting API access or removing upload permissions until the patch can be applied.