CVE-2023-29141: 
PHP vulnerability analysis and mitigation

A vulnerability (CVE-2023-29141) was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. The issue allows an auto-block to occur for an untrusted X-Forwarded-For header, potentially exposing sensitive user information (NVD, Debian Security).

The vulnerability stems from MediaWiki's handling of X-Forwarded-For (XFF) headers. When a user is autoblocked, the wiki creates an IP block behind-the-scenes without exposing the user's IP on-wiki. However, the system checks all IP addresses specified in XFF headers for blocks, including untrusted ones. An attacker could specify multiple IP addresses (up to about 256) in a single XFF header, allowing them to test numerous IPs efficiently for active autoblocks (Phabricator).

The vulnerability allows attackers to potentially discover the IP addresses of users who have active autoblocks by using spoofed XFF headers. Since the block message includes the username of the original block target, this creates a privacy leak that could expose user identity information. With approximately 2^24 requests, an attacker could potentially enumerate all IPv4 addresses with active autoblocks on a wiki (Phabricator).

The issue has been fixed in MediaWiki versions 1.35.10, 1.38.6, and 1.39.3. The fix prevents autoblocks from being applied to untrusted XFF headers while maintaining functionality for trusted proxy servers. Users should upgrade to these or later versions to mitigate the vulnerability (Fedora Security).