Author: sam.w.gabriel
Description:
A database server disconnection, either as the result of a network failure or a failure of the database server itself, results in a message that contains the internal IP address of the database server. This is a security vulnerability.
The code that generates these messages, in includes/db/Database.php is:
<pre>
$sorry = 'Sorry! This site is experiencing technical difficulties.';
$again = 'Try waiting a few minutes and reloading.';
$info = '(Can\'t contact the database server: $1)';
if ( $wgLang instanceof Language ) {
$sorry = htmlspecialchars( $wgLang->getMessage( 'dberr-problems' ) );
$again = htmlspecialchars( $wgLang->getMessage( 'dberr-again' ) );
$info = htmlspecialchars( $wgLang->getMessage( 'dberr-info' ) );
}
</pre>
The dberr-info message is the same as the hard-coded default value for the $info variable. Both contain a variable $1, and the $1 variable is later replaced by the error message from the server. The easiest way to correct the vulnerability is to change the text of the dberr-info message so that it doesn't contain the $1 variable. We want to change
(Cannot contact the database server: $1)
to
(Cannot contact the database server)
There are two ways that this is normally done, one via the wiki user interface and the other via code. To make the change via the wiki, one uses the "System messages" special page in the "Wiki data and tools" category. To make the change via code, one adds a message filter function to the MessagesPreLoad hook.
Both of these methods were tried, and neither was successful. A further review of the code indicated that the ''$wgLang->getMessage'' call bypasses both of the methods described above for changing error messages. If the ''wfMsg'' global function had been used in place of the ''$wgLang->getMessage'' call, the messages could have been changed.
Further testing, however, revealed that the source of the error messages was not the ''$wgLang->getMessage'' call, but the hard-coded strings set above this call.
To correct this issue changes must be made to the following two core files:
- includes/db/Database.php
- languages/messages/MessagesEn.php
The two sed scripts below, executed on the web server, were found to correct the vulnerability in the MediaWiki 1.16.0 core code in its standard location:
<pre>
sed -r -i.bak "/^'dberr-info'/s/: [$]1//" \
languages/messages/MessagesEn.php
sed -r -i.bak "/[$]info = '[(]Can/s/: [$]1//" \
includes/db/Database.php
</pre>
This problem will be reported to MediaWiki so that the core doesn't need to be patched with each release. The user should be able to change the text of these messages without having to patch core MediaWiki.
Version: 1.16.x
Severity: normal