CVE-2024-34701

CreateWiki is Miraheze&amp;#39;s MediaWiki extension for requesting &amp; creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry&amp;#39;s on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.<br /> <br /> Commit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in `$wgCreateWikiGlobalWiki` in a user&amp;#39;s MediaWiki settings.<br /> <br /> As a workaround, it is possible to disable the special pages outside of one&amp;#39;s own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one&amp;#39;s own setup. As for the REST API, before the fix, there wasn&amp;#39;t any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one&amp;#39;s own wiki farm..