Wikimedia Foundation MediaWiki WatchAnalytics Extension SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the WatchAnalytics extension for MediaWiki, specifically in versions 1.43 and 1.44. The issue arises because user input is not properly sanitized before being incorporated into SQL queries, allowing for malicious SQL code to be executed. Exploitation of this vulnerability requires the clearreviews permission, which is typically granted to sysop users by default.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary SQL code. This could potentially lead to unauthorized data access or modification, depending on the database permissions.

Reproduction

The vulnerability can be reproduced by navigating to the Special:ClearPendingReviews page. After entering dates in the 'Start Time' and 'End Time' fields, input a crafted SQL injection payload into the 'Page title like:' or 'Select page category:' fields. When the 'Preview' button is clicked, the injected SQL payload is executed, demonstrating the SQL injection vulnerability.

Remediation

Users can update to the patched versions of the WatchAnalytics extension available on the MediaWiki Gerrit repository.