Page MenuHomePhabricator
Create Task
Maniphest T152884

SQL injection point in BlogPage::getEditorsList() *and* BlogPage::getVotersList()
Closed, ResolvedPublic
Actions

Description

2006 called, they want their non-escaping "escaping" back.

Proposed and tested patch:

Index: BlogPageClass.php
===================================================================
diff --git a/trunk/BlogPageClass.php b/trunk/BlogPageClass.php
--- a/trunk/BlogPageClass.php	(revision 83)
+++ b/trunk/BlogPageClass.php	(working copy)
@@ -506,7 +506,7 @@
 
 			// Get authors and exclude them
 			foreach ( $this->authors as $author ) {
-				$where[] = 'rev_user_text <> \'' . $author['user_name'] . '\'';
+				$where[] = 'rev_user_text <> ' . $dbr->addQuotes( $author['user_name'] );
 			}
 
 			$res = $dbr->select(
@@ -599,7 +599,7 @@
 			// Exclude the authors of the blog post from the list of recent
 			// voters
 			foreach ( $this->authors as $author ) {
-				$where[] = 'username <> \'' . $author['user_name'] . '\'';
+				$where[] = 'username <> ' . $dbr->addQuotes( $author['user_name'] );
 			}
 
 			$res = $dbr->select(

cc @lcawte (ShoutWiki), @SamanthaNguyen (Brickimedia)

Details

SubjectRepoBranchLines +/-
SQL injections, DOS vectors, XSS and oh my!mediawiki/extensions/BlogPagemaster+7 -6
Customize query in gerrit

Event Timeline

ashley created this task.Dec 11 2016, 1:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2016, 1:51 AM
SamanthaNguyen added projects: BlogPage, Social-Tools.Dec 11 2016, 2:12 AM
SamanthaNguyen moved this task from Backlog to Bugs on the BlogPage board.
SamanthaNguyen moved this task from Backlog to BlogPage on the Social-Tools board.
Bawolff moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.Dec 11 2016, 3:36 PM
Bawolff added a project: Vuln-Inject.
Bawolff subscribed.

Proposed and tested patch:

+1 to this. Said patch would fix the issue.

Bawolff added a comment.Dec 11 2016, 5:23 PM

As an aside, also in this extension

  • if ( !preg_match( '/' . $blogUserCat . '/', $tag ) ) { - Minor issue, but should use preg_quote (Could lead to DOS). Ditto for line 159 of BlogPageClass.php
  • Line 998 of BlogPageClass.php - "#comment-{$comment['comment_id']}\" title=\"{$page_title->getText()}\">{$comment_text}</a></span>"; - $page_title could contain a quote character. This could lead to a XSS.
  • CreateBlogPost.js line 12. Consider using something other than innerHTML. (e.g. jquery's .text() ), since html isn't needed and makes the function unnecessarily dangerous.
ashley closed this task as Resolved.Dec 19 2016, 8:39 PM
ashley claimed this task.

Now that the patch has been merged, this is resolved.

matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 20 2016, 4:00 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL