Last modified: 2013-10-02 17:20:12 UTC
Usage of this extension has been known to pose SEVERE SECURITY RISKS on sites that only use the default settings. Security measures for special page extensions should be used to prevent unauthorized usage which may lead to site and or server hijacking. The extension has vulnerabilities in various areas, including the usage of globals, PHP and MySQL database classes. Note: Typical passwords will not prevent a breach against your site(s) if this extension is used. It is strongly suggested that users of the extension refrain until an official version resolving the vulnerability is released; if usage is continued without resolution, then editing variables and re-declaring functions is suggested. Do not leave extension exposed on special page, if so, any user on the site will be able to change bulk content. Do not use if local settings have been leaked online; you may need to re-install the entire MediaWiki application if so.
Hi - as noted, you already posted this at https://www.mediawiki.org/wiki/Extension_talk:Replace_Text - see my comments there.
If maintainers agree that there is risk, this should be exposed at the top of https://www.mediawiki.org/wiki/Extension:Replace_Text
Actually, I'm marking this as "invalid" - even after a long talk page discussion, I'm still not sure what the person who reported this issue is actually talking about; and at this point it's not clear to me that there's any sort of security risk.
Good luck. Let us know if there are any major changes to your scripts...
No patch to review, hence resetting status.