1,136
edits
(→Did you notice...: so?) |
|||
Line 13: | Line 13: | ||
:Look at the code in [http://www.mediawiki.org/wiki/Extension:Whos_online Extension:Whosonline]. It says "DELETE from $tblname WHERE username = '$username' OR timestamp < '$old' ". With a username like [[User:Robert' OR username like '%' -- aaa|Robert' OR username like '%' -- aaa]], this code becomes "DELETE from $tblname WHERE username = 'Robert' OR username like '%' -- aaa' OR timestamp < '$old' ". The problem is that the ' in the username is not handled correctly, and when passed to sql it is interpreted as the end of the username, and the rest of the username is interpreted as sql. The -- is a comment marker, it tells sql to disregard everything after that. In this case, it deletes every entry from the "online" table, so whosonline will show noone online. One way to cause harm would be: "DELETE from $tblname WHERE username = 'Robert'; drop table pages -- aaa' OR timestamp < '$old' ", which would delete all content on this wiki, but fortunately you cannot execute two sql queries with this command (the ; signals the end of the first query, and drop table pages is the second query). It would be possible to execute a subquery, and insert the result of the subquery into the username, to get some private information from the database. However mysql does not use the standard sql string concatenation operator ||, so that can't be done. The other option would be to get a numerical value, e.g. the token, because you can add together numbers. For example, I could manipulate whosonline so that instead of the real username, it displays '1' + (subquery returning number) - '1', so I could get your token, change my cookies manually, and I would be logged in as User:Lumenos. The only thing preventing me from doing that is that underscores (_) are used for field names in the user table (user_token, user_name), and those are converted to spaces in usernames when creating accounts, so the sql query doesn't work. | :Look at the code in [http://www.mediawiki.org/wiki/Extension:Whos_online Extension:Whosonline]. It says "DELETE from $tblname WHERE username = '$username' OR timestamp < '$old' ". With a username like [[User:Robert' OR username like '%' -- aaa|Robert' OR username like '%' -- aaa]], this code becomes "DELETE from $tblname WHERE username = 'Robert' OR username like '%' -- aaa' OR timestamp < '$old' ". The problem is that the ' in the username is not handled correctly, and when passed to sql it is interpreted as the end of the username, and the rest of the username is interpreted as sql. The -- is a comment marker, it tells sql to disregard everything after that. In this case, it deletes every entry from the "online" table, so whosonline will show noone online. One way to cause harm would be: "DELETE from $tblname WHERE username = 'Robert'; drop table pages -- aaa' OR timestamp < '$old' ", which would delete all content on this wiki, but fortunately you cannot execute two sql queries with this command (the ; signals the end of the first query, and drop table pages is the second query). It would be possible to execute a subquery, and insert the result of the subquery into the username, to get some private information from the database. However mysql does not use the standard sql string concatenation operator ||, so that can't be done. The other option would be to get a numerical value, e.g. the token, because you can add together numbers. For example, I could manipulate whosonline so that instead of the real username, it displays '1' + (subquery returning number) - '1', so I could get your token, change my cookies manually, and I would be logged in as User:Lumenos. The only thing preventing me from doing that is that underscores (_) are used for field names in the user table (user_token, user_name), and those are converted to spaces in usernames when creating accounts, so the sql query doesn't work. | ||
:I don't know of a way to crash RationalWiki. All our custom extensions use the database functions provided by mediawiki (unlike whosonline, which accesses the database directly), and those are safeguarded against stuff like this. Of course there can be unknown vulnerabilities in either our custom code or mediawiki. [[User:Nx|Nx]] 06:18, 4 September 2009 (EDT) | :I don't know of a way to crash RationalWiki. All our custom extensions use the database functions provided by mediawiki (unlike whosonline, which accesses the database directly), and those are safeguarded against stuff like this. Of course there can be unknown vulnerabilities in either our custom code or mediawiki. [[User:Nx|Nx]] 06:18, 4 September 2009 (EDT) | ||
::Uuuh.... thanks. Let me see if I have an interpreter. [[User:Lumenos|Lumenos]] 06:35, 4 September 2009 (EDT) | |||
==Mr. Ernst== | ==Mr. Ernst== |
edits