Page MenuHomePhabricator

insecure code in Extension:RecordAdmin
Closed, DeclinedPublic


About line 40 in RecordAdmin_body.php there is a variable
$type which is passed to the program via URL, and seems to
be inserted into a regular expresseion unescaped and unfiltered.

if ( $type && $wgRecordAdminUseNamespaces ) {
   if ( $wpTitle && !ereg( "^$type:.+$", $wpTitle ) ) $wpTitle = "$type:$wpTitle";

During tests, I could inject roughly everything via URL, and at
least break the regular expression. This is imho too insecure(tm)

Version: unspecified
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 10:35 PM
bzimport set Reference to bz18226.
Krenair added a comment.EditedJun 27 2015, 8:43 PM

I suggest closing the remaining tasks against this extension as it's obsolete per its description page. Given that this is a security issue from March 2009 though, perhaps we should modify its extension page to say it's insecure?

Bawolff raised the priority of this task from Normal to High.Jan 26 2016, 10:50 PM
Restricted Application added subscribers: Luke081515, Aklapper. · View Herald TranscriptJan 26 2016, 10:50 PM
Bawolff lowered the priority of this task from High to Normal.Jan 26 2016, 10:50 PM
Bawolff added a subscriber: Bawolff.
Bawolff closed this task as Declined.Jan 26 2016, 10:53 PM

Extension is described as "obsolete". I don't think anyone is going to fix this.