Page MenuHomePhabricator
Create Task
Maniphest T289351

SpecialWhatLinksHere: Trying to get property 'page_id' of non-object
Closed, ResolvedPublicSecurity
Actions

Description

Error
normalized_message
[{reqId}] {exception_url}   PHP Notice: Trying to get property 'page_id' of non-object
exception.trace
from /srv/mediawiki/php-1.37.0-wmf.19/includes/specials/SpecialWhatLinksHere.php(367)
#0 /srv/mediawiki/php-1.37.0-wmf.19/includes/specials/SpecialWhatLinksHere.php(367): MWExceptionHandler::handleError(integer, string, string, integer, array)
#1 /srv/mediawiki/php-1.37.0-wmf.19/includes/specials/SpecialWhatLinksHere.php(146): SpecialWhatLinksHere->showIndirectLinks(integer, Title, integer, integer, string)
#2 /srv/mediawiki/php-1.37.0-wmf.19/includes/specialpage/SpecialPage.php(646): SpecialWhatLinksHere->execute(string)
#3 /srv/mediawiki/php-1.37.0-wmf.19/includes/specialpage/SpecialPageFactory.php(1365): SpecialPage->run(string)
#4 /srv/mediawiki/php-1.37.0-wmf.19/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
#5 /srv/mediawiki/php-1.37.0-wmf.19/includes/MediaWiki.php(925): MediaWiki->performRequest()
#6 /srv/mediawiki/php-1.37.0-wmf.19/includes/MediaWiki.php(559): MediaWiki->main()
#7 /srv/mediawiki/php-1.37.0-wmf.19/index.php(53): MediaWiki->run()
#8 /srv/mediawiki/php-1.37.0-wmf.19/index.php(46): wfIndexMain()
#9 /srv/mediawiki/w/index.php(3): require(string)
#10 {main}
Notes

197 of these in 1.37.0-wmf.19. URLs of the form:

/w/index.php?hideredirs=1&hidetrans=1&invert=1&limit='"()%26%25<acx><ScRiPt%20>sPWM(9504)</ScRiPt>&namespace=1&title=Special:WhatLinksHere/User_talk:[user]

See logstash for specifics. Filed as a security task out of an abundance of caution, since this is obviously malicious traffic.

Details

Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Fix Special:WhatLinksHere behavior on limit= vs. limit=0mediawiki/coremaster+14 -10
Fix notice for Special:WhatLinksHere?limit=0mediawiki/coreREL1_36+4 -1
Fix notice for Special:WhatLinksHere?limit=0mediawiki/coremaster+4 -1
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Aug 20 2021, 1:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2021, 1:28 PM
brennen added projects: Platform Engineering, MediaWiki-Special-pages.Aug 20 2021, 1:31 PM
brennen moved this task from To triage to Special:WhatLinksHere on the MediaWiki-Special-pages board.
sbassett edited projects, added SecTeam-Processed; removed Security, Security-Team.EditedAug 20 2021, 2:23 PM
sbassett subscribed.

Not sure about the page_id non-object notice, but this does not appear to be a legitimate security issue. The XSS within the example in the task description doesn't render, and shouldn't, given the relevant code is validating limit to be an int within a certain range. The rest of the default/form options also appear to be well-validated. From the errors I'm seeing in logstash, it looks like someone ran a bunch of basic XSS, SQLi, etc. payloads against the limit request parameter which did not succeed in triggering any of the intended vulnerabilities but did induce the page_id non-object notice.

I guess it is of marginal interest that these all seem to be against the same enwiki user's talk page, but that could mean anything, and the only elevated privilege they have is patroller on enwiki. One other item of note - some of the payloads seem to reference the bxss.me domain, which would imply commercial scanners from Acunetix, which are not inexpensive.

dancy subscribed.Aug 24 2021, 6:36 PM
dancy added a comment.Aug 24 2021, 7:44 PM

These are still happening from time to time, generating log noise.

sbassett added a comment.EditedAug 24 2021, 8:17 PM

Not that this needs to be a security patch (it can go through gerrit) but this should fix the immediate issue of better handling the non-object error. Tested fine locally against master (89259d5a61):

02-T289351.patch1 KBDownload

daniel added a project: Patch-For-Review.Aug 24 2021, 9:56 PM
daniel subscribed.Aug 24 2021, 10:10 PM
In T289351#7306214, @sbassett wrote:

Not that this needs to be a security patch (it can go through gerrit) but this should fix the immediate issue of better handling the non-object error. Tested fine locally against master (89259d5a61):

The patch seems to hide the underlying issue, rather than fix it. Basically, $rows is a list of database rows -- except that apparently, one of the entries in $rows is actually not. It looks like $rows is put together by iterating over ResultSets, it should not be possible for them to return things that are note database rows.

I agree that this doesn't seem to be exploitable, but it's not clear to me what is actually happening. In particular, it's not clear whether this request manages to do something odd in a database query.

You said you tested it locally - were you able to reproduce the error locally as well? Can you describe the steps you took?

tstarling changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 26 2021, 8:51 PM
tstarling changed the edit policy from "Custom Policy" to "All Users".
tstarling subscribed.

I set the policy to public, since this is not a security issue.

RhinosF1 subscribed.Aug 26 2021, 8:54 PM
dancy mentioned this in T281161: 1.37.0-wmf.20 deployment blockers.Aug 26 2021, 10:07 PM
Zabe subscribed.Aug 26 2021, 10:11 PM
sbassett added a comment.EditedAug 27 2021, 5:26 PM
In T289351#7306626, @daniel wrote:

The patch seems to hide the underlying issue, rather than fix it. Basically, $rows is a list of database rows -- except that apparently, one of the entries in $rows is actually not. It looks like $rows is put together by iterating over ResultSets, it should not be possible for them to return things that are note database rows.

I don't think they are, at least not intentionally. Looking at this a bit more, the page_id non-object error seems to be related to the quirk of php casting strings to an integer value of 0. So, in the example within the task description, when limit is set to a string (e.g. an XSS payload), the conditionals comparing $numRows to $limit in the relevant block within includes/specials/SpecialWhatLinksHere.php allow code to execute that shouldn't. Yes, my patch papers over this and doesn't necessarily fix the underlying issue. I'm not entirely sure what the best solution would be though - certainly we don't just want to throw fatals here for non-integer values of limit since that wouldn't address the logspam issue.

You said you tested it locally - were you able to reproduce the error locally as well? Can you describe the steps you took?

Yes, I tested locally within mediawiki-docker by both hard-coding some data injections and by browsing to links like the one within the task description, with different fuzzed values of limit.

Umherirrender added a project: Wikimedia-production-error.Aug 28 2021, 7:47 PM
Umherirrender subscribed.Aug 28 2021, 8:00 PM

It is also possible to trigger an error with limit 0 - https://en.wikipedia.org/wiki/Special:WhatLinksHere/Main_Page?limit=0
All the strings are treated as 0 and therefor the same.

Maybe a upper limit of 1 is better for a limit parameter

tstarling added a comment.Aug 30 2021, 5:02 AM

I considered just passing 1 for the minimum limit when it calls validateIntBounds(), here and in the other special pages that call that function. But the other special pages apparently work when limit=0 is passed, and this one can also work with a trivial patch. Showing no results for limit=0 seems to best follow the user's intentions, and there might be valid reasons for doing that, for example to view the headers and footers on a special page.

gerritbot added a comment.Aug 30 2021, 5:02 AM

Change 715346 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/core@master] Fix notice for Special:WhatLinksHere?limit=0

https://gerrit.wikimedia.org/r/715346

tstarling triaged this task as High priority.Aug 30 2021, 5:08 AM
gerritbot added a comment.Aug 30 2021, 4:01 PM

Change 715548 had a related patch set uploaded (by Thiemo Kreuz (WMDE); author: Thiemo Kreuz (WMDE)):

[mediawiki/core@master] Make Special:WhatLinksHere ignore limit=

https://gerrit.wikimedia.org/r/715548

gerritbot added a comment.Aug 31 2021, 12:13 AM

Change 715346 merged by jenkins-bot:

[mediawiki/core@master] Fix notice for Special:WhatLinksHere?limit=0

https://gerrit.wikimedia.org/r/715346

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.21; 2021-08-30).Aug 31 2021, 1:00 AM
Umherirrender closed this task as Resolved.Aug 31 2021, 7:39 PM
Umherirrender assigned this task to tstarling.
Umherirrender removed a project: Patch-For-Review.
BEANS-X2 subscribed.Sep 1 2021, 10:22 AM
Krinkle moved this task from Untriaged to Aug 2021 on the Wikimedia-production-error board.Sep 5 2021, 12:22 AM
gerritbot added a comment.Mar 28 2022, 1:16 PM

Change 774471 had a related patch set uploaded (by Reedy; author: Tim Starling):

[mediawiki/core@REL1_36] Fix notice for Special:WhatLinksHere?limit=0

https://gerrit.wikimedia.org/r/774471

gerritbot added a project: Patch-For-Review.Mar 28 2022, 1:16 PM
gerritbot added a comment.Mar 28 2022, 1:31 PM

Change 774471 abandoned by Reedy:

[mediawiki/core@REL1_36] Fix notice for Special:WhatLinksHere?limit=0

Reason:

https://gerrit.wikimedia.org/r/774471

gerritbot added a comment.May 22 2023, 2:00 AM

Change 715548 merged by jenkins-bot:

[mediawiki/core@master] Fix Special:WhatLinksHere behavior on limit= vs. limit=0

https://gerrit.wikimedia.org/r/715548

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.10; 2023-05-23).May 22 2023, 3:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits