Page MenuHomePhabricator

EntityDataSerializationService - Possible SQL Injection
Closed, ResolvedPublicSecurity

Description

This seems like a possible SQL injection attempt
Log message says Unsupported flavor: dump ORDER BY 1-- -

Details

Author Affiliation
WMF Technology Dept

Event Timeline

@Mstyles - could we get some more information about this, specifically some steps to reproduce either on a production or development/test wiki? See also: https://www.mediawiki.org/wiki/Reporting_security_bugs#What_to_Include_In_A_Security_Issue_Report. Thanks.

Yeah, sorry initial report is low-info. I asked @Mstyles to file quickly during log triage so I could follow up.

Noticed these in logspam-watch:

1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump.".(),('..
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump"(,)',..(,
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump AND EXTRACTVALUE(5133,CONCAT(0x5c,0x716b717a71,(SELECT (ELT(5133=5133,1))),0x7176767671))
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump) AND EXTRACTVALUE(5133,CONCAT(0x5c,0x716b717a71,(SELECT (ELT(5133=5133,1))),0x7176767671)) AND (1988=1988
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump') AND EXTRACTVALUE(5133,CONCAT(0x5c,0x716b717a71,(SELECT (ELT(5133=5133,1))),0x7176767671)) AND ('HyZL'='HyZL
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump' AND EXTRACTVALUE(5133,CONCAT(0x5c,0x716b717a71,(SELECT (ELT(5133=5133,1))),0x7176767671)) AND 'Nsos'='Nsos
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump AND EXTRACTVALUE(5133,CONCAT(0x5c,0x716b717a71,(SELECT (ELT(5133=5133,1))),0x7176767671))-- nObf
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump AND EXTRACTVALUE(5185,CONCAT(0x5c,0x716a6a6a71,(SELECT (ELT(5185=5185,1))),0x7162787171))
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump) AND EXTRACTVALUE(5185,CONCAT(0x5c,0x716a6a6a71,(SELECT (ELT(5185=5185,1))),0x7162787171)) AND (3878=3878
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump') AND EXTRACTVALUE(5185,CONCAT(0x5c,0x716a6a6a71,(SELECT (ELT(5185=5185,1))),0x7162787171)) AND ('aaez'='aaez
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump' AND EXTRACTVALUE(5185,CONCAT(0x5c,0x716a6a6a71,(SELECT (ELT(5185=5185,1))),0x7162787171)) AND 'esXq'='esXq
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump AND EXTRACTVALUE(5185,CONCAT(0x5c,0x716a6a6a71,(SELECT (ELT(5185=5185,1))),0x7162787171))-- jaxA
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump'dLxmfS<'">FMvMwY
1       1728    1728    MW..................    .26 e/W/r/i/L/EntityDataSerializationService:333  Unsupported flavor: dump'lYUPga<'">HTwLtL

Will dig a request ID and stack trace out of logstash momentarily.

Ok, so 24 along these lines in logstash:

URL: http://www.wikidata.org/wiki/Special:EntityData/Q48041.ttl?flavor=dump%20ORDER%20BY%201--%20-

Trace:

Unsupported flavor: dump ORDER BY 1-- -
#0 /srv/mediawiki/php-1.36.0-wmf.26/extensions/Wikibase/repo/includes/LinkedData/EntityDataSerializationService.php(359): Wikibase\Repo\LinkedData\EntityDataSerializationService->getFlavor(string)
#1 /srv/mediawiki/php-1.36.0-wmf.26/extensions/Wikibase/repo/includes/LinkedData/EntityDataSerializationService.php(158): Wikibase\Repo\LinkedData\EntityDataSerializationService->createRdfBuilder(string, string)
#2 /srv/mediawiki/php-1.36.0-wmf.26/extensions/Wikibase/repo/includes/LinkedData/EntityDataRequestHandler.php(517): Wikibase\Repo\LinkedData\EntityDataSerializationService->getSerializedData(string, Wikibase\Lib\Store\EntityRevision, NULL, array, string)
#3 /srv/mediawiki/php-1.36.0-wmf.26/extensions/Wikibase/repo/includes/LinkedData/EntityDataRequestHandler.php(266): Wikibase\Repo\LinkedData\EntityDataRequestHandler->showData(WebRequest, OutputPage, string, Wikibase\DataModel\Entity\ItemId, integer)
#4 /srv/mediawiki/php-1.36.0-wmf.26/extensions/Wikibase/repo/includes/Specials/SpecialEntityData.php(117): Wikibase\Repo\LinkedData\EntityDataRequestHandler->handleRequest(string, WebRequest, OutputPage)
#5 /srv/mediawiki/php-1.36.0-wmf.26/includes/specialpage/SpecialPage.php(645): Wikibase\Repo\Specials\SpecialEntityData->execute(string)
#6 /srv/mediawiki/php-1.36.0-wmf.26/includes/specialpage/SpecialPageFactory.php(1405): SpecialPage->run(string)
#7 /srv/mediawiki/php-1.36.0-wmf.26/includes/MediaWiki.php(310): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#8 /srv/mediawiki/php-1.36.0-wmf.26/includes/MediaWiki.php(944): MediaWiki->performRequest()
#9 /srv/mediawiki/php-1.36.0-wmf.26/includes/MediaWiki.php(548): MediaWiki->main()
#10 /srv/mediawiki/php-1.36.0-wmf.26/index.php(53): MediaWiki->run()
#11 /srv/mediawiki/php-1.36.0-wmf.26/index.php(46): wfIndexMain()
#12 /srv/mediawiki/w/index.php(3): require(string)
#13 {main}

Request ID: YAhoTwpAMNUAAHyBCTgAAAAQ

Looks like the code is doing what it's supposed to and throwing an exception, so I don't think there's an actual Vuln-Inject happening here. These are likely random, scripted attacks either from a hostile entity or a "security researcher" attempting to pop something. Perhaps there's a question of whether that exception could be handled more gracefully, given the easily-fuzzed GET param, but that would be a choice for WMDE folks in regards to how serious of a logspam problem this is currently or could become.

Ack, yeah. Looked worse on first glance than it is. We'd always prefer that bad input to some GET param not clutter logs, but also seems like a one-off attack at the moment, not a high volume coming in.

sbassett claimed this task.
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.

I'm going to resolve this for now, as there does not appear to be an actual sqli issue here, since the exception is being caught and thrown as expected. If WMDE or anyone else would like to address potential exception-handling or logging issues, then I suppose this task could be re-opened or a new task filed.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 25 2021, 4:35 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".