Unauthorised access to transwiki import
Closed, ResolvedPublic


MediaWiki developer Happy-Melon discovered that the transwiki import feature ($wgImportSources) neglected to perform access control checks on form submission. Access control checks were only done before form display. Thus, a specially constructed POST request could be used to perform transwiki import without proper authorisation.

Transwiki import is not enabled by default. When it is enabled, it allows wiki pages to be copied from the wikis listed in $wgImportSources in LocalSettings.php.

Version: 1.16.x
Severity: normal

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz28449.
tstarling created this task.Via LegacyApr 7 2011, 3:27 AM
bzimport added a comment.Via ConduitApr 7 2011, 10:13 AM

happy.melon.wiki wrote:

This was fixed in r85005 and r85099; it has been ported to the 1.17, 1.17wmf1 and 1.16 branches.

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment