Closed Bug 1237549 Opened 8 years ago Closed 8 years ago

Database error A database query error has occurred. This may indicate a bug in the software.

Categories

(Websites :: wiki.mozilla.org, defect)

Product:
Websites
Component:
wiki.mozilla.org
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sexxxenator, Assigned: claudijd)

References

Details

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151208090132

Steps to reproduce:

I just searched for "--sm-config-prefix" in the searchbox of the wiki.


Actual results:

I got redirected to a page saying:
"Database error
A database query error has occurred. This may indicate a bug in the software."



Expected results:

I should simply have gotten a list of pages talking about option "--sm-config-prefix"


There might be a security issue in transmitting unwanted commands/chars to the DB!!!!
Did some testing with sqlmap to try and validate the viability of the "search" parameter being SQL injectable, but I didn't identify any success in my testing.

Here's some output from that testing:

...
09:07:45] [INFO] testing if GET parameter 'search' is dynamic
[09:07:45] [INFO] confirming that GET parameter 'search' is dynamic
[09:07:46] [INFO] GET parameter 'search' is dynamic
[09:07:47] [WARNING] heuristic (basic) test shows that GET parameter 'search' might not be injectable
[09:07:48] [INFO] testing for SQL injection on GET parameter 'search'
[09:07:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:08:04] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[09:08:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:08:11] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[09:08:12] [INFO] testing 'MySQL inline queries'
[09:08:13] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[09:08:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[09:08:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:09:23] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:10:22] [WARNING] GET parameter 'search' is not injectable
...

I would recommend the site operator review the DB query logs and see if the input values to the search parameter are being properly handled on the DB side just to be sure.  My suspicion is that we're seeing an app-layer error that triggers for any injection of "--", but it's worth a double check to be on the safe side.
fox2mike: would you be able to have someone look into this on the DB side?
Flags: needinfo?(smani)
Worked with cliang to understand what's happening on the backend DB and although this input is generating a SQL error it's not something that we believe would result in an attacker being able to craft arbitrary SQL injection.

This appears to be an issue in wikimedia where the input is being passed into a full text boolean search and the presence of a "-" in the input, which translates to AGAINST('--foobar ' IN BOOLEAN MODE).  The presence of the "-" is being interpreted as a NOT and breaks the validity of SQL query.

We did attempt to try and escape out of the AGAINST clause to see if an attacker could use the input box to craft arbitrary SQLi, but it appears that the input is parameter and will simply escape any SQL characters such that the scope remains within the against clause.

We will be reporting this bug to wikimedia to see if they'd like to make any changes to allow the search of items including "-" without breaking the query.
Assignee: nobody → jclaudius
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Group: websites-security
Emailed security@wikimedia.org with a reference to this bug, which is now public, in the event they would like to comment or make an adjustment in the wikimedia behavior that we're discussing.

L.I.A.R. - Thanks for the submission!
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(smani)
Resolution: --- → FIXED
FWIW, the wikimedia commons site, which is running MediaWiki 1.27.0-wmf.9 is not affected by this... 

https://commons.wikimedia.org/w/index.php?search=--foo&title=Special%3ASearch&go=Go&uselang=en

wiki.mozilla.org is running MediaWiki 1.23.10 at this time.  It's possible this was fixed already in a future release, but not sure if that fix would be available in the 1.23 branch.  May be worth investigating.
Heard back from security@wikimedia.org and they also confirmed that this issue appears fixed in the current version and that it doesn't appear exploitable.

Recommended Resolution: Upgrade MediaWiki, which is already captured in #1215624
You need to log in before you can comment on or make changes to this bug.