Last modified: 2009-03-28 09:35:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T20226, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 18226 - insecure code in Extension:RecordAdmin
insecure code in Extension:RecordAdmin
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
RecordAdmin (Other open bugs)
unspecified
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Aran
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-28 09:35 UTC by Purodha Blissenbach
Modified: 2009-03-28 09:35 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Purodha Blissenbach 2009-03-28 09:35:39 UTC 
About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.

  if ( $type && $wgRecordAdminUseNamespaces ) {
     if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle";
  }

During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links