This can be exploited to cause a denial of service by creating a large number of files with the same name, which will cause MediaWiki to perform a very long query. For example, in the following code, a request is sent to the MediaWiki server with actor as a condition and actor=user:
In certain cases, attacker can create many files with the same name such as “user.”
If you are on a shared hosting, you might be able to do this by creating a new user, or even a new account. If you are on a VPS or your own server, you might be able to do this by creating many new files. There are a few ways to mitigate this issue. The most reliable one is to turn off Special:NewFiles on your MediaWiki installation. Another option is to use HTTPS. This will prevent SQL injection attacks, as well as reduce the risk of your server being DDOSed.
SQL Injection and the Sysop
It is also possible to exploit MediaWiki by getting a vector of SQL injection. This can be done if you have access to the firewall and if your account has sysop privileges. If you have the rights, you can disable Special:NewFiles on your MediaWiki installation.
SQL Injection (Stored)
SQL Injection is a vulnerability that allows malicious attackers to inject arbitrary SQL statements into web applications. It can be used to compromise the security of systems by changing the data contained in a database.
Timeline
Published on: 09/19/2022 21:15:00 UTC
Last modified on: 09/22/2022 17:15:00 UTC