Last modified: 2014-03-05 06:52:39 UTC
A database server disconnection, either as the result of a network failure or a failure of the database server itself, results in a message that contains the internal IP address of the database server. This is a security vulnerability. The code that generates these messages, in includes/db/Database.php is: <pre> $sorry = 'Sorry! This site is experiencing technical difficulties.'; $again = 'Try waiting a few minutes and reloading.'; $info = '(Can\'t contact the database server: $1)'; if ( $wgLang instanceof Language ) { $sorry = htmlspecialchars( $wgLang->getMessage( 'dberr-problems' ) ); $again = htmlspecialchars( $wgLang->getMessage( 'dberr-again' ) ); $info = htmlspecialchars( $wgLang->getMessage( 'dberr-info' ) ); } </pre> The dberr-info message is the same as the hard-coded default value for the $info variable. Both contain a variable $1, and the $1 variable is later replaced by the error message from the server. The easiest way to correct the vulnerability is to change the text of the dberr-info message so that it doesn't contain the $1 variable. We want to change (Cannot contact the database server: $1) to (Cannot contact the database server) There are two ways that this is normally done, one via the wiki user interface and the other via code. To make the change via the wiki, one uses the "System messages" special page in the "Wiki data and tools" category. To make the change via code, one adds a message filter function to the MessagesPreLoad hook. Both of these methods were tried, and neither was successful. A further review of the code indicated that the ''$wgLang->getMessage'' call bypasses both of the methods described above for changing error messages. If the ''wfMsg'' global function had been used in place of the ''$wgLang->getMessage'' call, the messages could have been changed. Further testing, however, revealed that the source of the error messages was not the ''$wgLang->getMessage'' call, but the hard-coded strings set above this call. To correct this issue changes must be made to the following two core files: # includes/db/Database.php # languages/messages/MessagesEn.php The two sed scripts below, executed on the web server, were found to correct the vulnerability in the MediaWiki 1.16.0 core code in its standard location: <pre> sed -r -i.bak "/^'dberr-info'/s/: [$]1//" \ languages/messages/MessagesEn.php sed -r -i.bak "/[$]info = '[(]Can/s/: [$]1//" \ includes/db/Database.php </pre> This problem will be reported to MediaWiki so that the core doesn't need to be patched with each release. The user should be able to change the text of these messages without having to patch core MediaWiki.
Behavior should probably be conditional based on $wgShowSQLErrors.
Sam W. Gabriel, would you mind getting developer access https://www.mediawiki.org/wiki/Developer_access and committing your patches, or at least telling us here in BZ whether those are still the diffs between the files in the MediaWiki trunk and the fixed files on your server? How to submit a patch to our Git repo: https://www.mediawiki.org/wiki/Git/Tutorial Thank you.
Gerrit change #52029
(In reply to comment #0) > a message that contains the internal IP address of the database server. This is a security vulnerability. That doesn't sound right to me. I'm leaning towards a RESOLVED INVALID here. IPs are not supposed to be private information.
I disagree with the "security vulnerability" part as well; however, this report nevertheless describes an actual bug in the software, in that the database server's IP address may be shown even if both $wgShowHostnames and $wgShowSQLErrors are false. Note that in some environments, private IP addresses are considered to be sensitive information (cf. PCI-DSS 2.0 Requirement 1.3.8 "Do not disclose private IP addresses and routing information to unauthorized parties.").
Change 52029 merged by jenkins-bot: Hide server IP addresses from DB error pages https://gerrit.wikimedia.org/r/52029
(In reply to comment #6) > Change 52029 merged by jenkins-bot: > Hide server IP addresses from DB error pages > > https://gerrit.wikimedia.org/r/52029 Patch got merged - can this bug report be closed as RESOLVED FIXED or is more work required?
(In reply to comment #7) > (In reply to comment #6) > > Change 52029 merged by jenkins-bot: > > Hide server IP addresses from DB error pages > > > > https://gerrit.wikimedia.org/r/52029 > > Patch got merged - can this bug report be closed as RESOLVED FIXED or is more > work required? I still have to fix DBUnexpectedError. *Then* I think we can close as RESOLVED FIXED.
Change 89512 had a related patch set uploaded by PleaseStand: Hide message for DBUnexpectedError exceptions https://gerrit.wikimedia.org/r/89512
https://gerrit.wikimedia.org/r/#/c/89512/ still needs rework.
Change 89512 merged by jenkins-bot: Hide message for DBUnexpectedError exceptions https://gerrit.wikimedia.org/r/89512
Fixed for DB connection and query errors in 1.22 (when both $wgShowHostnames and $wgShowSQLErrors are false), and fixed for DBUnexpectedErrors in master/1.23 (when $wgShowExceptionDetails is false).