Page MenuHomePhabricator

insecure code in Extension:RecordAdmin
Closed, DeclinedPublic

Description

About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.

if ( $type && $wgRecordAdminUseNamespaces ) {
   if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle";
}

During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)


Version: unspecified
Severity: enhancement

Details

Reference
bz18226

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz18226.
Krenair added a comment.EditedJun 27 2015, 8:43 PM

I suggest closing the remaining tasks against this extension as it's obsolete per its description page. Given that this is a security issue from March 2009 though, perhaps we should modify its extension page to say it's insecure?

Bawolff raised the priority of this task from Normal to High.
Restricted Application added subscribers: Luke081515, Aklapper. · View Herald TranscriptJan 26 2016, 10:50 PM
Bawolff lowered the priority of this task from High to Normal.Jan 26 2016, 10:50 PM
Bawolff added a subscriber: Bawolff.
Bawolff closed this task as Declined.Jan 26 2016, 10:53 PM

Extension is described as "obsolete". I don't think anyone is going to fix this.