Page MenuHomePhabricator

Database connection errors display IP address
Closed, ResolvedPublic

Description

Author: sam.w.gabriel

Description:
A database server disconnection, either as the result of a network failure or a failure of the database server itself, results in a message that contains the internal IP address of the database server. This is a security vulnerability.

The code that generates these messages, in includes/db/Database.php is:

<pre>
$sorry = 'Sorry! This site is experiencing technical difficulties.';
$again = 'Try waiting a few minutes and reloading.';
$info = '(Can\'t contact the database server: $1)';

if ( $wgLang instanceof Language ) {
$sorry = htmlspecialchars( $wgLang->getMessage( 'dberr-problems' ) );
$again = htmlspecialchars( $wgLang->getMessage( 'dberr-again' ) );
$info = htmlspecialchars( $wgLang->getMessage( 'dberr-info' ) );
}
</pre>

The dberr-info message is the same as the hard-coded default value for the $info variable. Both contain a variable $1, and the $1 variable is later replaced by the error message from the server. The easiest way to correct the vulnerability is to change the text of the dberr-info message so that it doesn't contain the $1 variable. We want to change

(Cannot contact the database server: $1)

to

(Cannot contact the database server)

There are two ways that this is normally done, one via the wiki user interface and the other via code. To make the change via the wiki, one uses the "System messages" special page in the "Wiki data and tools" category. To make the change via code, one adds a message filter function to the MessagesPreLoad hook.

Both of these methods were tried, and neither was successful. A further review of the code indicated that the ''$wgLang->getMessage'' call bypasses both of the methods described above for changing error messages. If the ''wfMsg'' global function had been used in place of the ''$wgLang->getMessage'' call, the messages could have been changed.

Further testing, however, revealed that the source of the error messages was not the ''$wgLang->getMessage'' call, but the hard-coded strings set above this call.

To correct this issue changes must be made to the following two core files:

  1. includes/db/Database.php
  2. languages/messages/MessagesEn.php

The two sed scripts below, executed on the web server, were found to correct the vulnerability in the MediaWiki 1.16.0 core code in its standard location:

<pre>
sed -r -i.bak "/^'dberr-info'/s/: [$]1//" \

languages/messages/MessagesEn.php

sed -r -i.bak "/[$]info = '[(]Can/s/: [$]1//" \

includes/db/Database.php

</pre>

This problem will be reported to MediaWiki so that the core doesn't need to be patched with each release. The user should be able to change the text of these messages without having to patch core MediaWiki.


Version: 1.16.x
Severity: normal

Details

Reference
bz26811

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 11:15 PM
bzimport set Reference to bz26811.

Behavior should probably be conditional based on $wgShowSQLErrors.

sumanah wrote:

Sam W. Gabriel, would you mind getting developer access https://www.mediawiki.org/wiki/Developer_access and committing your patches, or at least telling us here in BZ whether those are still the diffs between the files in the MediaWiki trunk and the fixed files on your server?

How to submit a patch to our Git repo: https://www.mediawiki.org/wiki/Git/Tutorial

Thank you.

(In reply to comment #0)

a message that contains the internal IP address of the database server. This is a security vulnerability.

That doesn't sound right to me. I'm leaning towards a RESOLVED INVALID here. IPs are not supposed to be private information.

I disagree with the "security vulnerability" part as well; however, this report nevertheless describes an actual bug in the software, in that the database server's IP address may be shown even if both $wgShowHostnames and $wgShowSQLErrors are false.

Note that in some environments, private IP addresses are considered to be sensitive information (cf. PCI-DSS 2.0 Requirement 1.3.8 "Do not disclose private IP addresses and routing information to unauthorized parties.").

Change 52029 merged by jenkins-bot:
Hide server IP addresses from DB error pages

https://gerrit.wikimedia.org/r/52029

(In reply to comment #6)

Change 52029 merged by jenkins-bot:
Hide server IP addresses from DB error pages
https://gerrit.wikimedia.org/r/52029

Patch got merged - can this bug report be closed as RESOLVED FIXED or is more work required?

(In reply to comment #7)

(In reply to comment #6)

Change 52029 merged by jenkins-bot:
Hide server IP addresses from DB error pages
https://gerrit.wikimedia.org/r/52029

Patch got merged - can this bug report be closed as RESOLVED FIXED or is more
work required?

I still have to fix DBUnexpectedError. *Then* I think we can close as RESOLVED FIXED.

Change 89512 had a related patch set uploaded by PleaseStand:
Hide message for DBUnexpectedError exceptions

https://gerrit.wikimedia.org/r/89512

Change 89512 merged by jenkins-bot:
Hide message for DBUnexpectedError exceptions

https://gerrit.wikimedia.org/r/89512

Fixed for DB connection and query errors in 1.22 (when both $wgShowHostnames and $wgShowSQLErrors are false), and fixed for DBUnexpectedErrors in master/1.23 (when $wgShowExceptionDetails is false).