Page MenuHomePhabricator
Create Task
Maniphest T370632

CVE-2024-47849: Cargo: Backticks can allow the usage of not-allowed SQL functions
Closed, ResolvedPublicSecurity
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Go to Special:CargoQuery
  • Enter a table into "Table(s)", IF(_pageNamespace = NULL, 'A', `RAND`())=out into "Field(s)", and 1 into "Limit"
  • Submit the query

What happens?
I get a random number:

havoc.png (710×1 px, 98 KB)

What should have happened instead?
I should've gotten "Error: The SQL function "RAND()" is not allowed."

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

  • MediaWiki: 1.42.1 (61e9a5b); 21:29, 12 July 2024
  • PHP: 8.2.20 (fpm-fcgi)
  • MariaDB: 10.11.6-MariaDB-1:10.11.6+maria~deb12-log
  • Cargo: 3.6 (e926bd0); 07:23, 15 July 2024

Other information (browser name/version, screenshots, etc.):
I know that this (at least) affects Miraheze, so I'll add affects-Miraheze and will subscribe a Miraheze tech team member.

This was tested on a Miraheze-hosted wiki, but the wiki in question does not allow RAND():

not chaos.png (186×758 px, 21 KB)

Miraheze issue tracker task: https://issue-tracker.miraheze.org/T12371

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Look for function calls inside backticksmediawiki/extensions/Cargomaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

BlankEclair created this task.Jul 22 2024, 12:56 PM
Restricted Application added a project: affects-Miraheze. · View Herald TranscriptJul 22 2024, 12:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BlankEclair added a project: MediaWiki-extensions-Cargo.Jul 22 2024, 12:58 PM
BlankEclair added subscribers: RhinosF1, Yaron_Koren.
BlankEclair updated the task description. (Show Details)Jul 22 2024, 1:03 PM
Yaron_Koren closed this task as Resolved.Jul 22 2024, 4:03 PM
Yaron_Koren claimed this task.

Fixed in 5e94b1625258. Thanks for pointing this out! I had no idea you could put function names inside backticks.

sbassett mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Jul 22 2024, 4:48 PM
sbassett subscribed.

Thanks, @Yaron_Koren. Miraheze folks - are you ok with us making this task public now? This will also be re-announced within the next supplemental security release.

sbassett edited projects, added SecTeam-Processed, Vuln-Inject; removed Security-Team.Jul 22 2024, 4:51 PM
RhinosF1 added a subscriber: Universal_Omega.Sep 18 2024, 8:16 AM
In T370632#10003626, @sbassett wrote:

Thanks, @Yaron_Koren. Miraheze folks - are you ok with us making this task public now? This will also be re-announced within the next supplemental security release.

Sorry for not replying, Yes, I'm happy with this task being made public.

Please feel free to ping me if I ever miss a comment on a Miraheze related security task.

sbassett triaged this task as Low priority.Sep 18 2024, 3:07 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Restricted Application added a subscriber: Reception123. · View Herald TranscriptSep 18 2024, 3:07 PM
Mstyles renamed this task from Cargo: Backticks can allow the usage of not-allowed SQL functions to CVE-2024-47849: Cargo: Backticks can allow the usage of not-allowed SQL functions.Oct 5 2024, 12:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits