Page MenuHomePhabricator

insecure code in Extension:RecordAdmin
Closed, DeclinedPublic


About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.

if ( $type && $wgRecordAdminUseNamespaces ) {
   if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle";

During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)

Version: unspecified
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:35 PM
bzimport set Reference to bz18226.

I suggest closing the remaining tasks against this extension as it's obsolete per its description page. Given that this is a security issue from March 2009 though, perhaps we should modify its extension page to say it's insecure?

Bawolff raised the priority of this task from Medium to High.Jan 26 2016, 10:50 PM
Bawolff moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.
Bawolff lowered the priority of this task from High to Medium.Jan 26 2016, 10:50 PM
Bawolff added a subscriber: Bawolff.

Extension is described as "obsolete". I don't think anyone is going to fix this.