Last modified: 2013-10-02 17:20:12 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T56837, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 54837 - Extension Poses Security Risks
Extension Poses Security Risks
Status: RESOLVED INVALID
Product: MediaWiki extensions
Classification: Unclassified
ReplaceText (Other open bugs)
unspecified
All All
: Unprioritized major (vote)
: ---
Assigned To: Nobody - You can work on this!
https://www.mediawiki.org/wiki/Extens...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-01 18:42 UTC by Habatchii
Modified: 2013-10-02 17:20 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Habatchii 2013-10-01 18:42:20 UTC 
Usage of this extension has been known to pose SEVERE SECURITY RISKS on sites that only use the default settings. Security measures for special page extensions should be used to prevent unauthorized usage which may lead to site and or server hijacking. The extension has vulnerabilities in various areas, including the usage of globals, PHP and MySQL database classes.

Note: Typical passwords will not prevent a breach against your site(s) if this extension is used.

It is strongly suggested that users of the extension refrain until an official version resolving the vulnerability is released; if usage is continued without resolution, then editing variables and re-declaring functions is suggested. Do not leave extension exposed on special page, if so, any user on the site will be able to change bulk content. Do not use if local settings have been leaked online; you may need to re-install the entire MediaWiki application if so.
Comment 1 Yaron Koren 2013-10-01 18:59:49 UTC 
Hi - as noted, you already posted this at https://www.mediawiki.org/wiki/Extension_talk:Replace_Text - see my comments there.
Comment 2 Andre Klapper 2013-10-02 08:20:10 UTC 
If maintainers agree that there is risk, this should be exposed at the top of https://www.mediawiki.org/wiki/Extension:Replace_Text
Comment 3 Yaron Koren 2013-10-02 12:45:54 UTC 
Actually, I'm marking this as "invalid" - even after a long talk page discussion, I'm still not sure what the person who reported this issue is actually talking about; and at this point it's not clear to me that there's any sort of security risk.
Comment 4 Habatchii 2013-10-02 14:48:49 UTC 
Good luck. Let us know if there are any major changes to your scripts...
Comment 5 Andre Klapper 2013-10-02 17:20:12 UTC 
No patch to review, hence resetting status.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links