ManageWiki SQL Injection Vulnerability in MediaWiki

A SQL injection vulnerability has been identified in the ManageWiki extension for MediaWiki, affecting versions prior to commit f504ed8. The issue arises when renaming a namespace in the Special:ManageWiki/namespaces section, particularly when using a page prefix that includes an injection payload. This vulnerability allows attackers to manipulate SQL queries, potentially compromising the integrity and confidentiality of the MediaWiki database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can inject malicious SQL payloads that could be executed by the database. This could lead to unauthorized data access, data manipulation, or even executing administrative operations on the database, depending on the injected SQL and the application's database permissions.

Reproduction

To reproduce this vulnerability, navigate to Special:ManageWiki/namespaces in a version of MediaWiki with the ManageWiki extension installed, and use a page prefix that includes an SQL injection payload while renaming a namespace. The injection will be executed by the database, exploiting the vulnerability.

Remediation

Users can apply the temporary mitigation by adding '$wgManageWiki['namespaces'] = false;' to their LocalSettings.php file. This disables the vulnerable namespace renaming feature in ManageWiki. After applying this mitigation, it is recommended to update to the patched version f504ed8.