MediaWiki Bucket Extension Infinite Recursion Vulnerability Allowing Denial-of-Service

A vulnerability in the MediaWiki Bucket extension, prior to version 1.0.0, allows for infinite recursion when a user queries a repeated field using the '!=' comparator. This issue can cause PHP's call stack limit to be exceeded and increase memory consumption, potentially leading to a denial-of-service condition. The vulnerability arises when the Bucket code processes the query, causing recursive calls that exhaust server resources.

Impact

Exploitation of this vulnerability leads to infinite recursion, causing PHP's call stack limit to be exceeded and increasing memory usage, which can disrupt normal service and accessibility of affected pages.

Reproduction

To reproduce this vulnerability, add a repeated text field to a bucket. Then, query the field from a Lua module using the '!=' operator to compare against a value. The query will trigger the infinite recursion by calling the 'MemberOfExpression::toSql' method, which recursively invokes itself through the 'NotExpression' class, until the server's call stack or memory limits are reached, causing a denial-of-service condition.

Remediation

Users can update to Bucket extension version 1.0.0 or later, where this vulnerability has been patched.