Archive:Amélioration de l'extension NiceCategoryList de mediawiki
Problem: Vulnerable to SQL injection attacks, because it passes user input directly into SQL commands. This may lead to user accounts being hijacked, wiki content being compromised, private data being leaked, malware being injected, and the entire wiki content being erased, among other things. Solution: make proper use of MediaWiki's database class instead of concatenating raw sql
La version corrigée deviendra la version ncl4
Sommaire
La version actuelle à améliorer
Sur github:
La solution
Example
The following code snippet would allow an attacker to execute their own SQL commands (and is a syntax error in Oracle).
$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );
The preferred way to run the above query would be:
$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
'*',
false,
__METHOD__,
array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);
Le code existant dans ncl2
private function getCategoryLinks($dbr, $title) {
// query database
$res = $dbr->select(
array('page', 'categorylinks'),
array('page_title', 'page_namespace', 'cl_sortkey'),
array('cl_from = page_id', 'cl_to' => $title->getDBKey()),
'',
array('ORDER BY' => 'cl_sortkey')
);
if ($res === false)
return array();
// convert results list into an array
$list = array();
while ($x = $dbr->fetchObject($res))
$list[] = $x;
// free the results
$dbr->freeResult($res);
return $list;
}
Ressources Mediawiki
- Page de discussion de Manual:Database_access Avec un array ce serait sûr !
SQL Injection
How safe are these functions against SQL Injection? Does the extension-coder have to take care of this themselves?
If you feed an array to select, it's safe. If you construct a string, even a string to be passed to ::select, then it's up to you to take care of safety.
- La solution proposée par un inconnu sur la page de discussion de NiceCategoryList2/3.0
$sql = "SELECT p.page_id AS pid, p.page_title AS title, t.old_text as text FROM page p
INNER JOIN revision r ON p.page_latest = r.rev_id
INNER JOIN text t ON r.rev_text_id = t.old_id
INNER JOIN categorylinks c ON c.cl_from = p.page_id
INNER JOIN searchindex s ON s.si_page = p.page_id
WHERE c.cl_to='".$title."' ORDER BY p.page_title ASC";
SQL injection stresstest
- https://www.owasp.org/index.php/Appendix_A:_Testing_Tools#Testing_for_SQL_Injection
- https://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
De la doc Mediawiki SQL_injection
To exploit the vulnerability and fetch the email addresses of registered wiki users, the attacker would use a GET string of:
?limit=%201%20union%20select%20user_email%20from%20user;
En pratique, on fait quoi de ça ?