Page MenuHomePhabricator

Possible DoS vulnerability in MediaWiki
Closed, ResolvedPublic

Description

patch from Kevin

I'm the "Wikipedia user PleaseStand" who reported the clickjacking
vulnerability in 2010, and I think I have another security issue to report.

On the English Wikipedia's technical village pump, user Kelisi reported
that a certain article's history page would show a "Fatal exception of
type MWException" only when he was logged in.[1]

I debugged the issue and found that the cause was an inefficient regex
in includes/Linker.php in core MediaWiki. Specifically, the regex hit
the PCRE backtrack limit while processing an edit summary,[2] so
preg_replace_callback() returned null. The fatal exception occurred when
the null value was to be inserted as a message parameter.

I'm reporting this issue through private e-mail, as I know such
exponential behavior can allow for denial of service attacks, and I'm
sure the vandals would enjoy making it hard for people to revert their
edits :)

They just have to put something like this in their edit summaries:

[[aaaa]|aaaa]|aaaa]| ... (repeated at least 13 times more)

and that would break recent changes, watchlists, and history pages all
at once. The API, by the way, just returns null for the "parsedcomment".

I have attached a patch that should fix the regex. Feel free to make any
improvements. I've tested it against the recent histories (newest 1000
revisions) of three English Wikipedia articles.

Keep in mind it's possible that someone might inadvertently add
information to the village pump thread that makes it easier to find the
vulnerability (e.g. a broken diff link).

Also, if I would like to report a vulnerability in a user-created
Wikipedia gadget, where should I send the report to? Here? I think I may
have found an unrelated vulnerability in Twinkle, although it might be
tricky to exploit.

Thanks,

Kevin Israel
(Wikipedia user PleaseStand)

[1]
https://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28technical%29#Problem_with_.22Africville.22_article

[2]
https://en.wikipedia.org/w/index.php?title=Africville&oldid=360541408 -
try clicking on one of the diff links


Version: 1.20.x
Severity: normal

Attached:

Details

Reference
bz41400

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:45 AM
bzimport set Reference to bz41400.
bzimport added a subscriber: Unknown Object (MLST).

Kevin,

I was able to reproduce the issue, and the patch seems to fix the problem. Thank you!

We have just finalized our next security release, but we'll see if we can include this patch too.

The patch looks fine, although it would have been nice to see some comments embedded in the regex, maybe with /x.

I would also like to see a patch to remove the throw from Message::extractParam(). This is not the first user-visible exception we've seen from it, and throwing an exception instead of replacing the parameter with a placeholder increases the severity from a minor annoyance to a DoS vulnerability. If the error message really needs to be highly visible to developers, trigger_error(..., E_USER_WARNING) could be used.

Created attachment 11274
patch to comment new regex

Attached:

Created attachment 11275
patch to remove the throw

Tim, do you have a specific reason for using trigger_error() directly rather than using wfWarn()? Also, do you have a particular placeholder message in mind that would work in all contexts, or is it fine to just leave $1 alone?

attachment 0001-Remove-the-throw-from-Message-extractParam.patch ignored as obsolete

(In reply to comment #4)

Created attachment 11275 [details]
patch to remove the throw

Tim, do you have a specific reason for using trigger_error() directly rather
than using wfWarn()? Also, do you have a particular placeholder message in mind
that would work in all contexts, or is it fine to just leave $1 alone?

wfWarn() only calls trigger_error() if $wgDevelopmentWarnings is true, which it usually isn't. For example, it is false on Wikimedia. I even have it switched off on my test instances, because otherwise I would be constantly spammed with deprecation notices from code I'm not developing.

I was thinking of a more explicit placeholder than $1, like [INVALID].

attachment 0001-Remove-the-throw-from-Message-extractParam.patch ignored as obsolete

Created attachment 11334
patch to remove the throw (2)

Attached:

I've run this set of patches locally, and it looks like it fixes the problem.

Tim, does this look good enough to you to deploy?

(In reply to comment #8)

I've run this set of patches locally, and it looks like it fixes the problem.

Tim, does this look good enough to you to deploy?

Yes, it looks good.

Created attachment 11396
Combined patch for 1.21

Adds all three of Kevin's patches in one file.

Attached:

  • This bug has been marked as a duplicate of bug 38566 ***