Last modified: 2012-11-29 22:54:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T43400, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 41400 - Possible DoS vulnerability in MediaWiki
Possible DoS vulnerability in MediaWiki
Status: RESOLVED DUPLICATE of bug 38566
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.20.x
All All
: Unprioritized normal (vote)
: 1.20.x release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-25 19:08 UTC by Chris Steipp
Modified: 2012-11-29 22:54 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
patch from Kevin (1.45 KB, patch)
2012-10-25 19:08 UTC, Chris Steipp
Details
patch to comment new regex (1.27 KB, patch)
2012-10-31 22:41 UTC, Kevin Israel (PleaseStand)
Details
patch to remove the throw (1.49 KB, patch)
2012-10-31 22:48 UTC, Kevin Israel (PleaseStand)
Details
patch to remove the throw (2) (1.39 KB, patch)
2012-11-08 16:38 UTC, Kevin Israel (PleaseStand)
Details
Combined patch for 1.21 (4.23 KB, patch)
2012-11-20 18:05 UTC, Chris Steipp
Details

Description Chris Steipp 2012-10-25 19:08:54 UTC
Created attachment 11241 [details]
patch from Kevin

I'm the "Wikipedia user PleaseStand" who reported the clickjacking
vulnerability in 2010, and I think I have another security issue to report.

On the English Wikipedia's technical village pump, user Kelisi reported
that a certain article's history page would show a "Fatal exception of
type MWException" only when he was logged in.[1]

I debugged the issue and found that the cause was an inefficient regex
in includes/Linker.php in core MediaWiki. Specifically, the regex hit
the PCRE backtrack limit while processing an edit summary,[2] so
preg_replace_callback() returned null. The fatal exception occurred when
the null value was to be inserted as a message parameter.

I'm reporting this issue through private e-mail, as I know such
exponential behavior can allow for denial of service attacks, and I'm
sure the vandals would enjoy making it hard for people to revert their
edits :)

They just have to put something like this in their edit summaries:

        [[aaaa]|aaaa]|aaaa]| ... (repeated at least 13 times more)

and that would break recent changes, watchlists, and history pages all
at once. The API, by the way, just returns null for the "parsedcomment".

I have attached a patch that should fix the regex. Feel free to make any
improvements. I've tested it against the recent histories (newest 1000
revisions) of three English Wikipedia articles.

Keep in mind it's possible that someone might inadvertently add
information to the village pump thread that makes it easier to find the
vulnerability (e.g. a broken diff link).

Also, if I would like to report a vulnerability in a user-created
Wikipedia gadget, where should I send the report to? Here? I think I may
have found an unrelated vulnerability in Twinkle, although it might be
tricky to exploit.

Thanks,

        Kevin Israel
        (Wikipedia user PleaseStand)

[1]
https://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28technical%29#Problem_with_.22Africville.22_article

[2]
https://en.wikipedia.org/w/index.php?title=Africville&oldid=360541408 -
try clicking on one of the diff links
Comment 1 Chris Steipp 2012-10-25 22:21:10 UTC
Kevin,

I was able to reproduce the issue, and the patch seems to fix the problem. Thank you!

We have just finalized our next security release, but we'll see if we can include this patch too.
Comment 2 Tim Starling 2012-10-29 05:33:01 UTC
The patch looks fine, although it would have been nice to see some comments embedded in the regex, maybe with /x.

I would also like to see a patch to remove the throw from Message::extractParam(). This is not the first user-visible exception we've seen from it, and throwing an exception instead of replacing the parameter with a placeholder increases the severity from a minor annoyance to a DoS vulnerability. If the error message really needs to be highly visible to developers, trigger_error(..., E_USER_WARNING) could be used.
Comment 3 Kevin Israel (PleaseStand) 2012-10-31 22:41:11 UTC
Created attachment 11274 [details]
patch to comment new regex
Comment 4 Kevin Israel (PleaseStand) 2012-10-31 22:48:30 UTC
Created attachment 11275 [details]
patch to remove the throw

Tim, do you have a specific reason for using trigger_error() directly rather than using wfWarn()? Also, do you have a particular placeholder message in mind that would work in all contexts, or is it fine to just leave $1 alone?
Comment 5 Krinkle 2012-11-05 07:16:16 UTC
See also bug 38566.
Comment 6 Tim Starling 2012-11-05 08:55:41 UTC
(In reply to comment #4)
> Created attachment 11275 [details]
> patch to remove the throw
> 
> Tim, do you have a specific reason for using trigger_error() directly rather
> than using wfWarn()? Also, do you have a particular placeholder message in mind
> that would work in all contexts, or is it fine to just leave $1 alone?

wfWarn() only calls trigger_error() if $wgDevelopmentWarnings is true, which it usually isn't. For example, it is false on Wikimedia. I even have it switched off on my test instances, because otherwise I would be constantly spammed with deprecation notices from code I'm not developing.

I was thinking of a more explicit placeholder than $1, like [INVALID].
Comment 7 Kevin Israel (PleaseStand) 2012-11-08 16:38:21 UTC
Created attachment 11334 [details]
patch to remove the throw (2)
Comment 8 Chris Steipp 2012-11-20 00:17:28 UTC
I've run this set of patches locally, and it looks like it fixes the problem.

Tim, does this look good enough to you to deploy?
Comment 9 Tim Starling 2012-11-20 00:20:50 UTC
(In reply to comment #8)
> I've run this set of patches locally, and it looks like it fixes the problem.
> 
> Tim, does this look good enough to you to deploy?

Yes, it looks good.
Comment 10 Chris Steipp 2012-11-20 18:05:39 UTC
Created attachment 11396 [details]
Combined patch for 1.21

Adds all three of Kevin's patches in one file.
Comment 11 Alex Monk 2012-11-29 22:54:29 UTC

*** This bug has been marked as a duplicate of bug 38566 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links