Page MenuHomePhabricator

PostgreSQL: "syntax error in tsquery" when search term contains apostrophes
Open, NormalPublic

Description

Author: roberthend15

Description:
I found a SQL injection in the search form.
If you enter a single quote into the form the postgreSQL server respond with the following error:

Warning: pg_query(): Query failed: ERROR: syntax error in tsquery: "'" in <FULLPATH>\DatabasePostgres.php on line 584 Sorry, that was not a valid search string. Please go back and try again

Wich means the server is vulrnable to an SQL injection.

Reproduce:

  1. go to the main wiki page
  2. Enter the single quote into the search form

Shortcut to the bug:

https://wiki.<WEBSITE-NAME>.org/en/Special:Search?search=%27&go=Go

Note that the %27 is the single quote character !

Originaly found at:
https://wiki.mageia.org/en/Special:Search?search=%27&go=Go
(Already told them about this)

Robert Hendriks


Version: 1.20.x
Severity: normal
Platform: PC

Details

Reference
bz35043

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz35043.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 7 2012, 10:50 PM

Could you test this against 1.18?

saper added a comment.Mar 8 2012, 8:15 PM

Reproduced in trunk (r113364)

saper added a comment.Mar 8 2012, 9:53 PM
  • Bug 31006 has been marked as a duplicate of this bug. ***
saper added a comment.Mar 8 2012, 11:17 PM

I don't think it's an SQL injection problem.

There is a problem with proper quoting of lexemes passed over to to_tsquery() function.

What we do in this case is:

trunk=> select to_tsquery('''');
ERROR: syntax error in tsquery: "'"

Somebody ran into a similar problem here:

http://archives.postgresql.org/pgsql-sql/2008-08/msg00027.php

It's an arbitrary parameter to_tsquery(), not arbitrary SQL, and my reading of the relevant manual section:

http://www.postgresql.org/docs/8.4/interactive/datatype-textsearch.html

suggests that this is not exploitable. The operations which can be performed are very limited. So I'm changing the component, severity and summary.

karun.84 wrote:

I have submitted a patch to check for ' to gerrit, to stop the database error appearing.
https://gerrit.wikimedia.org/r/#/c/23064/

(In reply to comment #6)

I have submitted a patch to check for ' to gerrit

Patch needs improvement according to review - Karun, would you have time?

Patch needs improvement according to review - Karun, would you have time?

Change 23064 had a related patch set uploaded by Tim Landscheidt:
Escape apostrophes in search terms for PostgreSQL

https://gerrit.wikimedia.org/r/23064

Jdforrester-WMF added a subscriber: Jdforrester-WMF.

Migrating from the old tracking task to a tag for PostgreSQL-related tasks.

Restricted Application added projects: Discovery, Discovery-Search. · View Herald TranscriptNov 2 2016, 8:16 PM
Deskana set Security to None.
Deskana added a subscriber: Deskana.

Removing Discovery and Discovery-Search; our primary responsibility is to users of the Wikimedia sites, and we do not use Postgres there.

Change 23064 had a related patch set uploaded (by Tim Landscheidt):
[mediawiki/core] Escape apostrophes in search terms for PostgreSQL

https://gerrit.wikimedia.org/r/23064

scfc removed a project: Security.Mar 1 2017, 9:55 PM
scfc added a subscriber: tstarling.

(As @tstarling already assessed in T37043#399694, this is not exploitable.)