Last modified: 2014-10-28 18:01:15 UTC
I found a SQL injection in the search form. If you enter a single quote into the form the postgreSQL server respond with the following error: Warning: pg_query(): Query failed: ERROR: syntax error in tsquery: "'" in <FULLPATH>\DatabasePostgres.php on line 584 Sorry, that was not a valid search string. Please go back and try again Wich means the server is vulrnable to an SQL injection. Reproduce: 1. go to the main wiki page 2. Enter the single quote into the search form Shortcut to the bug: https://wiki.<WEBSITE-NAME>.org/en/Special:Search?search=%27&go=Go Note that the %27 is the single quote character ! Originaly found at: https://wiki.mageia.org/en/Special:Search?search=%27&go=Go (Already told them about this) Robert Hendriks
Could you test this against 1.18?
Reproduced in trunk (r113364)
*** Bug 31006 has been marked as a duplicate of this bug. ***
I don't think it's an SQL injection problem. There is a problem with proper quoting of lexemes passed over to to_tsquery() function. What we do in this case is: trunk=> select to_tsquery(''''); ERROR: syntax error in tsquery: "'" Somebody ran into a similar problem here: http://archives.postgresql.org/pgsql-sql/2008-08/msg00027.php
It's an arbitrary parameter to_tsquery(), not arbitrary SQL, and my reading of the relevant manual section: http://www.postgresql.org/docs/8.4/interactive/datatype-textsearch.html suggests that this is not exploitable. The operations which can be performed are very limited. So I'm changing the component, severity and summary.
I have submitted a patch to check for ' to gerrit, to stop the database error appearing. https://gerrit.wikimedia.org/r/#/c/23064/
(In reply to comment #6) > I have submitted a patch to check for ' to gerrit Patch needs improvement according to review - Karun, would you have time?
Patch needs improvement according to review - Karun, would you have time?
Change 23064 had a related patch set uploaded by Tim Landscheidt: Escape apostrophes in search terms for PostgreSQL https://gerrit.wikimedia.org/r/23064