action=ajax requests are dispatched to the relevant function without any read permission checks being done. This can lead to data leakage on private wikis.
A quick survey of the many extensions which use action=ajax suggests that few, if any, have anticipated this security issue. This includes the popular CategoryTree extension, which can be used to obtain lists of page titles. The ExtTab and InlineEditor extensions appear to allow disclosure of the full text of the page.
In the core, most former action=ajax uses have been migrated to api.php, however SpecialUpload::ajaxGetExistsWarning still remains, which allows confirmation of the existence of a given file upload, given the name. A dictionary attack could lead to significant data leakage. Previous versions of MediaWiki may have more severe vulnerabilities.
I suggest denying all access to action=ajax for users without read permissions. If there are any extensions that really need to provide data from a private wiki to logged-out users, api.php can be used instead. It provides an opt-in model for bypassing read permissions.
Version: unspecified
Severity: normal