[Bug 66568] New: Exploit Skinning System by setting a skins name to the currently active skin

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=66568

            Bug ID: 66568
           Summary: Exploit Skinning System by setting a skins name to the
                    currently active skin
           Product: MediaWiki
           Version: 1.23.0
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: major
          Priority: Unprioritized
         Component: Skin and page rendering
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: deanato...@yahoo.com
                CC: krinklem...@gmail.com, matma....@gmail.com
       Web browser: ---
   Mobile Platform: ---

When I use the default skin vector and create a new skin with the name
'mvector' with the base skin file named 'MVector.php' and set it's $skinname
property to 'vector' I can replace the default skin vector without having to go
to localsettings.php and change the default skin.

This was my test skin (MVector.php):


if( !defined( 'MEDIAWIKI' ) )
    die( -1 );

//$wgExtensionMessagesFiles['MVector'] = dirname(__FILE__).'/mvector/i18n.php';


/**
 * Inherit main code from SkinTemplate, set the CSS and template filter.
 * @ingroup Skins
 */
class SkinMVector extends SkinVector {
    var $skinname = 'vector', $stylename = 'vector',
        $template = 'VectorTemplate', $useHeadElement = true;


    public function initPage( OutputPage $out ) {
        parent::initPage( $out );

        global $wgStylePath;
        global $wgScriptPath;

        $out->addHTML("<script src='".$wgStylePath."/mvector/MVector.js"."'
type='text/javascript'></script>");
        // Add meta information to optimise for mobile sites
        $out->addMeta("viewport", "width=device-width; initial-scale=1.0;
maximum-scale=1.0; user-scalable=no;");
        $out->addMeta("wgscript", "".$wgScriptPath."");
    }





    function setupSkinUserCss( OutputPage $out ) {
        parent::setupSkinUserCss( $out );

        //$out->addModuleStyles( 'skins.mvector' );

        $out->addStyle( 'mvector/styles/vector-min.css', 'screen' );
        //$out->addStyle( 'mvector/print.css', 'print' );

        $out->addStyle( 'mvector/ie8fixes.css', 'screen','lte IE 8' );
    }
}

/**
 * BaseTemplate class for MVector skin
 * @ingroup Skins
 */
class MVectorTemplate extends VectorTemplate {

    /**
     * Outputs the entire contents of the page
     */
    public function execute() {
        parent::execute();
    }

}

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l