MediaWiki Info Disclosure Flaw: How to Lock Down Your Wiki (Fix Permanently)

 

MediaWiki permission flaw? Check your wiki with 1 command, apply the bash fix, or block via iptables. Get the audit checklist →

Historical note:  *A high-severity MediaWiki update was issued by Debian on April 12, 2026. The underlying permission-check issue affects many versions, not just that date.*

If you run a MediaWiki site (for documentation, knowledge base, or internal team wiki), you need to check permission logic — not just update once. This guide gives you reusable checks, automation, and workarounds that work today and two years from now.

How to check if you are vulnerable (actual commands)

Run these directly on your server. Replace mediawiki with your installed package name if different.

Ubuntu / Debian (any version)

bash

dpkg -l | grep mediawiki
apt list --installed 2>/dev/null | grep mediawiki
# Check for known insecure patterns:
grep -r "\$wgGroupPermissions" /var/lib/mediawiki*/LocalSettings.php

Rocky Linux / RHEL / Fedora

bash

rpm -qa | grep mediawiki
# Check version against known CVE patterns (CVE-2026-34086 etc.):
grep -i "MediaWiki" /var/www/mediawiki/RELEASE-NOTES

SUSE Linux Enterprise / openSUSE

bash

zypper search --installed-only mediawiki
rpm -qi mediawiki | grep Version

Quick vulnerability indicator:

If your LocalSettings.php contains custom $wgGroupPermissions or uses $wgRevokePermissions in complex ways – test manually. Create a logged-out user and try to access:

Special:ListUsers (should show only basic info)

Any page with ?action=raw (should respect view permissions)

Automation script to apply the fix (bash – major distros)

Save as fix-mediawiki-perms.sh. Run as root.

bash

#!/bin/bash
# Evergreen MediaWiki permission fix - works on Debian, Ubuntu, Rocky, SUSE
set -e
echo "=== MediaWiki permission hardening ==="

# Detect distro
if [ -f /etc/debian_version ]; then
    apt update && apt upgrade -y mediawiki
    systemctl restart php*-fpm apache2 2>/dev/null || systemctl restart nginx
elif [ -f /etc/redhat-release ]; then
    dnf update -y mediawiki
    systemctl restart httpd php-fpm
elif [ -f /etc/SuSE-release ]; then
    zypper update -y mediawiki
    systemctl restart apache2 php-fpm
else
    echo "Unsupported distro. Update MediaWiki manually."
fi

# Hardening: disable unsafe includes
sed -i "s/^\$wgAllowExternalImages = .*/\$wgAllowExternalImages = false;/" /etc/mediawiki/LocalSettings.php
sed -i "s/^\$wgEnableAPI = .*/\$wgEnableAPI = false;/" /etc/mediawiki/LocalSettings.php 2>/dev/null

echo "Fix applied. Verify: run 'sudo -u www-data php /path/to/maintenance/version.php'"

Make executable: chmod +x fix-mediawiki-perms.sh and run.

Alternative mitigation (if you can’t update now)

Option 1: iptables rate-limit & restrict raw access

bash

# Limit API calls per IP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j DROP

# Block ?action=raw for unauthenticated users via Apache .htaccess
echo "<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=raw [NC]
RewriteCond %{HTTP:Cookie} !MediaWikiSession [NC]
RewriteRule .* - [F,L]
</IfModule>" > /var/www/mediawiki/.htaccess

Option 2: AppArmor profile for MediaWiki (Ubuntu/Debian)

bash

aa-genprof /usr/bin/php
# Then add deny rules for sensitive paths:
echo "deny /etc/mediawiki/LocalSettings.php r," >> /etc/apparmor.d/local/usr.bin.php
aa-enforce /usr/bin/php

Option 3: Reverse proxy permission check (nginx snippet)

nginx

location ~ \.php {
    if ($args ~* "action=raw") {
        set $check_perm "1";
    }
    if ($cookie_MediaWikiSession = "") {
        set $check_perm "${check_perm}2";
    }
    if ($check_perm = "12") {
        return 403;
    }
    # normal PHP handling
}

Suggested reading:   Solves the rooy pronlem

MediaWiki Administration: Security, Performance, and Permissions  - Amazon

Why it helps: This book (about $45) contains permanent access control patterns, group permission recipes, and audit scripts – not just a one-line patch. It teaches you to write LocalSettings.php safely and how to test permission regressions after every update.

Without this knowledge, you'll rely on security advisories forever. The book pays for itself the first time you prevent a leak.

Conclusion – stop chasing CVEs

You can't patch every Tuesday. But you can harden, automate, and understand the permission model.

✅ Your action items:

• Run the check script above – today.

• If vulnerable, apply the fix script or iptables mitigation.

• Buy the MediaWiki security book to master permissions.