Last modified: 2009-03-28 09:35:39 UTC
About line 40 in RecordAdmin_body.php there is a variable $type which is passed to the program via URL, and seems to be inserted into a regular expresseion unescaped and unfiltered. if ( $type && $wgRecordAdminUseNamespaces ) { if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle"; } During tests, I could inject roughly everything via URL, and at least break the regular expression. This is imho too insecure(tm)