Author: nickpj
Description:
[[Special:Blockme]], (which appears to allow a user who knows the proxy key the
ability to block themselves) takes a special parameter, "ip", which is
calculated as:
md5 ( your IP address + $wgProxyKey ), which for me on non-accessible private
test wiki equals:
md5 ("192.168.0.2" .
"6826d709cefab1ea688cc1295c376fa816ab551b79cf7b29714f6fcd238b507f") =
"1f35ce44ad66b44523ba3025f3d52a6d"
However using this parameter in a URL (in this example:
http://192.168.0.64/wiki/index.php?title=Special:Blockme&ip=1f35ce44ad66b44523ba3025f3d52a6d
), causes the following error:
Database error
A database query syntax error has occurred. This may indicate a bug in the
software. The last attempted database query was:
(SQL query hidden)
from within function "Block::insert". MySQL returned error "1054: Unknown column
'ipb_anon_only' in 'field list' (localhost)".
... and the database error log contains this:
Wed Jul 12 17:29:25 EST 2006 bling Block::insert localhost 1054 Unknown
column 'ipb_anon_only' in 'field list' (localhost) INSERT IGNORE INTO
ipblocks
(ipb_id,ipb_address,ipb_user,ipb_by,ipb_reason,ipb_timestamp,ipb_auto,ipb_anon_only,ipb_create_account,ipb_expiry,ipb_range_start,ipb_range_end)
VALUES (NULL,'192.168.0.2','0','10000','Your IP address has been blocked because
it is an open proxy. Please contact your Internet service provider or tech
support and inform them of this serious security
problem.','20060712072925','0','0','0','infinity','','')
Maybe either update the query, or delete the file if it's not being used? (At
first glance it only appears to be called by includes/ProxyTools.php , but I'm
not quite clear how ProxyTools is called - and if it isn't, and there are no
plans to add it back in, perhaps deletion may be the better option).
Version: 1.8.x
Severity: minor