Page MenuHomePhabricator
Create Task
Maniphest T142314

Null byte in old versions of Replace Text may cause arbitrary execution
Closed, DeclinedPublic
Actions

Description

OK, bear with me, because I haven't actually tested this.

If a null byte is passed as part of the target text, older versions of PHP/PRCE interpret that as the end of the string, which means that the user can pass a eval flag to execute the replacement text. The best explanation of it I've seen is here: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace

That null bug was fixed in PHP 5.4.7, which means that Mediawiki version ≥1.24 is immune as it requires 5.5.9. Any previous branches, like REL1_23, however, may have an arbitrary execution.

I don't have an old copy of PHP and Mediawiki around to test, but you are still distributing a REL1_23 branch, so I thought I should mention it.

Related Objects

Event Timeline

labster created this task.Aug 7 2016, 1:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 7 2016, 1:10 AM
labster added a project: MediaWiki-extensions-ReplaceText.Aug 7 2016, 1:10 AM
Legoktm subscribed.Aug 7 2016, 3:57 AM

That null bug was fixed in PHP 5.4.7, which means that Mediawiki version ≥1.24 is immune as it requires 5.5.9

MediaWiki only started requiring 5.5.9+ in 1.27. 1.26, and 1.25 work with 5.3.3+.

labster added a comment.Aug 7 2016, 7:17 AM

Oh.

If you are unable to upgrade to PHP 5.5.9, then you can use MediaWiki 1.23.13, which requires PHP version 5.3.2 or later

https://www.mediawiki.org/wiki/Manual:Installation_requirements is a little misleading. LTS release I guess.

dpatrick subscribed.Aug 16 2016, 8:27 PM

@Yaron_Koren, @Nikerabbit, what are your thoughts on this issue?

Bawolff added subscribers: Yaron_Koren, Nikerabbit.Aug 16 2016, 8:31 PM
Bawolff subscribed.EditedAug 23 2016, 8:24 PM

I'm concerned about SearchHighlighter::highlightText in core

Bawolff claimed this task.Aug 23 2016, 8:54 PM
Bawolff added a comment.Aug 23 2016, 8:57 PM

It should be also noted, that even if you have a high enough version of php not to be vulnerable, anything that allows an arbitrary regex pattern is an easy DOS attack.

Yaron_Koren added a comment.Aug 30 2016, 9:23 PM

Bawolff - are you saying you're concerned about a vulnerability in core MediaWiki? If so, you should open a separate ticket about that - this one is specific to the Replace Text extension.

Bawolff triaged this task as High priority.Sep 20 2016, 8:49 PM
labster added a comment.Sep 21 2016, 6:15 AM

In terms of the DOS attack @Bawolff mentioned, maybe ini_set on some PCRE options would be useful?

http://stackoverflow.com/questions/21842773/php-is-this-a-safe-way-to-allow-user-supplied-regular-expressions

Bawolff added a comment.Sep 27 2016, 3:55 PM

Replace text actually isn't vulnerable to this bug, since it gets its regex via $this->getRequest()->getText(), which normalizes unicode, thus removing any null bytes from the input.

Maybe we should also have an explicit check for null bytes, I'm not sure.

Bawolff mentioned this in T191546: Do a security review of ReplaceText prior to it being bundled with tarball.Apr 10 2018, 9:26 AM
Bawolff added a subscriber: CCicalese_WMF.
Bawolff closed this task as Declined.May 10 2019, 10:02 PM

This is old enough now to no longer be relevant.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".May 10 2019, 10:03 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL