https://bugzilla.wikimedia.org/show_bug.cgi?id=26811

           Summary: Database connection errors display IP address
           Product: MediaWiki
           Version: 1.16.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: Database
        AssignedTo: wikibugs-l@lists.wikimedia.org
        ReportedBy: sam.w.gabr...@saic.com


A database server disconnection, either as the result of a network failure or a
failure of the database server itself, results in a message that contains the
internal IP address of the database server. This is a security vulnerability.

The code that generates these messages, in includes/db/Database.php is:

<pre>
$sorry = 'Sorry! This site is experiencing technical difficulties.';
$again = 'Try waiting a few minutes and reloading.';
$info  = '(Can\'t contact the database server: $1)';

if ( $wgLang instanceof Language ) {
    $sorry = htmlspecialchars( $wgLang->getMessage( 'dberr-problems' ) );
    $again = htmlspecialchars( $wgLang->getMessage( 'dberr-again' ) );
    $info  = htmlspecialchars( $wgLang->getMessage( 'dberr-info' ) );
}
</pre>

The dberr-info message is the same as the hard-coded default value for the
$info variable. Both contain a variable $1, and the $1 variable is later
replaced by the error message from the server. The easiest way to correct the
vulnerability is to change the text of the dberr-info message so that it
doesn't contain the $1 variable. We want to change

    (Cannot contact the database server: $1)

to

    (Cannot contact the database server)

There are two ways that this is normally done, one via the wiki user interface
and the other via code.  To make the change via the wiki, one uses the "System
messages" special page in the "Wiki data and tools" category. To make the
change via code, one adds a message filter function to the MessagesPreLoad
hook.

Both of these methods were tried, and neither was successful. A further review
of the code indicated that the ''$wgLang->getMessage'' call bypasses both of
the methods described above for changing error messages. If the ''wfMsg''
global function had been used in place of the ''$wgLang->getMessage'' call, the
messages could have been changed.

Further testing, however, revealed that the source of the error messages was
not the ''$wgLang->getMessage'' call, but the hard-coded strings set above this
call.

To correct this issue changes must be made to the following two core files:
# includes/db/Database.php
# languages/messages/MessagesEn.php

The two sed scripts below, executed on the web server, were found to correct
the vulnerability in the MediaWiki 1.16.0 core code in its standard location:

<pre>
sed -r -i.bak "/^'dberr-info'/s/: [$]1//" \
    languages/messages/MessagesEn.php

sed -r -i.bak "/[$]info  = '[(]Can/s/: [$]1//" \
    includes/db/Database.php
</pre>

This problem will be reported to MediaWiki so that the core doesn't need to be
patched with each release. The user should be able to change the text of these
messages without having to patch core MediaWiki.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to