Archive:Amélioration de l'extension NiceCategoryList de mediawiki

Ce wiki a été archivé en 2018.

Le nouveau wiki se trouve à: ressources.labomedia.org

Les fonctionnalités sont désactivées: vous pouvez faire une recherche sur Google site:https://wiki.labomedia.org et découvrir La Labomedia.

De Centre de Ressources Numériques - Labomedia
Aller à : navigation, rechercher

Extension NiceCategoryList2

Problem: Vulnerable to SQL injection attacks, because it passes user input directly into SQL commands. This may lead to user accounts being hijacked, wiki content being compromised, private data being leaked, malware being injected, and the entire wiki content being erased, among other things. Solution: make proper use of MediaWiki's database class instead of concatenating raw sql

La version corrigée deviendra la version ncl4

La version actuelle à améliorer

Sur github:

La solution

Example

The following code snippet would allow an attacker to execute their own SQL commands (and is a syntax error in Oracle). 

$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );

The preferred way to run the above query would be: 

$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
                    '*',
                    false,
                    __METHOD__,
                    array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);

Le code existant dans ncl2

    private function getCategoryLinks($dbr, $title) {
        // query database
        $res = $dbr->select(
            array('page', 'categorylinks'),
            array('page_title', 'page_namespace', 'cl_sortkey'),
            array('cl_from = page_id', 'cl_to' => $title->getDBKey()),
            '',
            array('ORDER BY' => 'cl_sortkey')
        );
        if ($res === false)
                return array();

        // convert results list into an array
        $list = array();
        while ($x = $dbr->fetchObject($res))
                $list[] = $x;

        // free the results
        $dbr->freeResult($res);

        return $list;
    }

Ressources Mediawiki

SQL Injection

How safe are these functions against SQL Injection? Does the extension-coder have to take care of this themselves? 

   If you feed an array to select, it's safe. If you construct a string, even a string to be passed to ::select, then it's up to you to take care of safety.

$sql = "SELECT p.page_id AS pid, p.page_title AS title, t.old_text as text FROM page p
INNER JOIN revision r ON p.page_latest = r.rev_id
INNER JOIN text t ON r.rev_text_id = t.old_id
INNER JOIN categorylinks c ON c.cl_from = p.page_id
INNER JOIN searchindex s ON s.si_page = p.page_id
WHERE c.cl_to='".$title."' ORDER BY p.page_title ASC";

SQL injection stresstest

De la doc Mediawiki SQL_injection

To exploit the vulnerability and fetch the email addresses of registered wiki users, the attacker would use a GET string of: 

?limit=%201%20union%20select%20user_email%20from%20user;

En pratique, on fait quoi de ça ?

Le code corrigé

Récupérée de « https://wiki.labomedia.org/index.php?title=Archive:Amélioration_de_l%27extension_NiceCategoryList_de_mediawiki&oldid=31917 »