https://bugzilla.wikimedia.org/show_bug.cgi?id=33203
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Unprioritized |Highest CC| |[email protected]. | |org Component|Semantic MediaWiki |SemanticForms AssignedTo|[email protected]. |[email protected] |org | Summary|SMWSQLStore2 (infinite?) |[SF] SECURITY! Infinite |loop consumes maximum |recursive RunQuery call to |memory (512MB), and then |SMWSQLStore2 takes down |fails. |MediaWiki until PHP times | |out or consumes maximum | |memory. --- Comment #4 from [email protected] 2011-12-26 21:35:32 UTC --- I moved this from SMW to Semantic Forms. There were no responses in IRC, here in the bug report, nor in any of the mailing lists, but I finally got some help from Ryan Lane in debugging this, and he helped me narrow down the problem a little more until I could figure out what was happening. Although the problem is manifesting itself in SMW's code, it's actually something SF is incorrectly calling on SMW to do on pages that have a query form, either embedded, or on the actual Special:RunQuery page. This did not fail immediately. At first it functioned successfully many times before it finally failed, and then it continued to fail. I did not know what had changed to cause the problem, and debugging was made difficult with a non-functional wiki. It turns out that someone had accidentally pasted the code for a page that uses an embedded RunQuery, into the RunQuery form. So, the RunQuery Semantic Form was calling itself to run SMW queries repeatedly in an infinite recursion. Since this problem took down the site, I was not able to find the error without digging through a lengthy debugging process, and getting a little advice from Ryan Lane on how to proceed further into new avenues once I had exhausted everything I already knew how to do. Although it was a simple error that caused the bug to manifest itself, it turns out to be a significant security problem, where a malicious editor could use this bug to potentially shut down a mediawiki site that uses Semantic Forms. Generous php.ini settings for max_execution_time and memory_limit will allow long run times and lots of memory usage, respectively that will exacerbate the unresponsiveness of the server until PHP reaches an error condition, and stops execution. Once execution is stopped, it can be restarted again by the malicious attacker simply reloading the page. RunQuery Semantic Forms needs to detect a recursive call to itself, and return a suitable error message instead of entering into infinite recursion. The recursion can be caused either accidentally (in my case), or maliciously, which either way will then effectively shut down the server, and make it difficult to find the problem and fix it before the attacker reloads the page again. Even if you knew exactly where the problem was, its possible this attack could make it impossible to undo the changes that caused it until the attacking page reloads stop - unless you want to edit the database manually to undo the changes. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. You are the assignee for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
