SQL injection
Overview
SQL injection is a type of attack that uses vulnerabilities in an application's input validation or data typing for SQL queries.
When successful, the attack allows the attacker to inject data into an existing SQL query. The attacker may then be able to fetch private data, cause a denial of service or cause other unintended responses. In the worst case, the injected code would allow the attacker to gain full control of the system by exploiting multiple vulnerabilities in the database server, system utilities and operating system.
For an overview of SQL injection attacks, review Wikipedia's SQL Injection page.
Example
The following code snippet would allow an attacker to execute their own SQL commands (and is a syntax error in Oracle).
$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );
Before MW 1.35, the preferred way to run the above query would be:
$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
'*',
false,
__METHOD__,
array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);
See Manual:Database access for more recent approaches to building SQL queries using the SelectQueryBuilder class.
To exploit the vulnerability and fetch the email addresses of registered wiki users, the attacker would use a GET string of:
?limit=%201%20union%20select%20user_email%20from%20user;
SQL Injection and MediaWiki
MediaWiki has a custom SQL generation interface which has proven to be effective for eliminating SQL injection vulnerabilities. The SQL generation interface also provides DBMS abstraction and features such as table prefixes.
To keep MediaWiki safe from SQL injection:
- avoid using direct SQL queries at all costs
- review Manual:Database access and use the functions provided in Database.php
- read the The Open Web Application Security Project's page on SQL injection (http://www.owasp.org/index.php/SQL_Injection)
- The SQL Injection Wiki: http://www.sqlinjectionwiki.com/