Wikimedia MediaWiki Cargo Extension SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Wikimedia Foundation's MediaWiki Cargo extension, specifically in versions 1.39, 1.43, and 1.44. The vulnerability arises because the extension improperly sanitizes two URL parameters before inserting them into SQL queries, allowing attackers to manipulate the SQL command and potentially execute arbitrary SQL code.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, create a template that includes Cargo data storage commands. After setting up the Cargo table, a page can be created that references this template. The vulnerability is then exploited by accessing the 'Special:CargoExport' page with a crafted SQL payload in the 'start' parameter. The injected SQL is executed, demonstrating the SQL injection flaw.

Remediation

Users can update to the patched versions of the MediaWiki Cargo extension. Instructions for updating can be found in the MediaWiki documentation.