Page MenuHomePhabricator
Create Task
Maniphest T20226

insecure code in Extension:RecordAdmin
Closed, DeclinedPublic
Actions

Description

About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.

if ( $type && $wgRecordAdminUseNamespaces ) {
   if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle";
}

During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)

Version: unspecified
Severity: enhancement

Details

Reference
bz18226

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:35 PM
bzimport added a project: MediaWiki-extensions-RecordAdmin.
bzimport set Reference to bz18226.
Purodha created this task.Mar 28 2009, 9:35 AM
Krenair added projects: acl*security, Security-Extensions.Jun 27 2015, 8:39 PM
Krenair added a subscriber: Krenair.
Krenair added a comment.EditedJun 27 2015, 8:43 PM

I suggest closing the remaining tasks against this extension as it's obsolete per its description page. Given that this is a security issue from March 2009 though, perhaps we should modify its extension page to say it's insecure?

Bawolff raised the priority of this task from Medium to High.Jan 26 2016, 10:50 PM
Bawolff moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.
Restricted Application added subscribers: Luke081515, Aklapper. · View Herald TranscriptJan 26 2016, 10:50 PM
Bawolff lowered the priority of this task from High to Medium.Jan 26 2016, 10:50 PM
Bawolff added a subscriber: Bawolff.
Bawolff closed this task as Declined.Jan 26 2016, 10:53 PM

Extension is described as "obsolete". I don't think anyone is going to fix this.

chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL