https://bugzilla.wikimedia.org/show_bug.cgi?id=18226
Summary: insecure code in Extension:RecordAdmin
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: RecordAdmin
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.
if ( $type && $wgRecordAdminUseNamespaces ) {
if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle =
"$type:$wpTitle";
}
During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
