Page MenuHomePhabricator
Create Task
Maniphest T233317

Syntax error when searching for ' on a postgres backed in MediaWiki
Open, MediumPublic
Actions

Description

Hi,
I have found possible Information disclosure bug in the site (mediawiki-1.32.3)

Bug:[Information Disclosure leads to disclose the Database query and database name]

Steps to reproduce:

1.Open the mediawiki using the site https://wiki.mahara.org
2.go to the search bar and enter the single quote(') in that search box and search
3.You will get the database query error disclose the information about DB
4.I won't move further to get the database tables,I stopped there...

Vulnerable url with payload:https://wiki.mahara.org/index.php?search='

DB Error Information:

[XX8dCLpOheXeQVoKqPS3LgAAAAU] /index.php?search=%27+--%2B Wikimedia\Rdbms\DBQueryError from line 1506 of /usr/share/mediawiki-1.32.3/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?
Query: SELECT to_tsquery(''' & ! -+')
Function: Wikimedia\Rdbms\Database::query
Error: 42601 ERROR: syntax error in tsquery: "' & ! -+"

Screenshot from 2019-09-19 19-56-30.png (887×1 px, 160 KB)

Event Timeline

Suresh_kumar123454 created this task.Sep 19 2019, 2:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 19 2019, 2:29 PM
Reedy subscribed.Sep 19 2019, 2:41 PM

This is expected behaviour if the wiki has debug settings set to display this information

See https://www.mediawiki.org/wiki/Manual:How_to_debug#SQL_errors for more information

Reedy added projects: MediaWiki-Search, PostgreSQL.Sep 19 2019, 2:48 PM
Restricted Application added a project: Discovery-Search. · View Herald TranscriptSep 19 2019, 2:48 PM
Reedy renamed this task from mediawiki software(mediawiki-1.32.3 for built-in search capabilities) shows the database error information to the end user (or attacker) to Searching for ' on a postgres backed wiki results in a database query error.Sep 19 2019, 2:49 PM
Suresh_kumar123454 added a comment.Sep 19 2019, 2:55 PM

Hi, you mean the website using wiki media should disable the error log

Reedy added a comment.Sep 19 2019, 2:58 PM
In T233317#5506467, @Suresh_kumar123454 wrote:

Hi, you mean the website using wiki media should disable the error log

MediaWiki, but yes. If they want to hide it, there's configuration to do so. And if it's showing it, it means the system administrators have chosen to do so

sbassett triaged this task as Medium priority.Sep 19 2019, 3:33 PM
sbassett subscribed.
Gehel moved this task from needs triage to search-icebox on the Discovery-Search board.Sep 19 2019, 7:34 PM
Aklapper renamed this task from Searching for ' on a postgres backed wiki results in a database query error to Syntax error when searching for ' on a postgres backed in MediaWiki.Sep 20 2019, 10:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL