Hi,
We received a e-mail form a client stating he found a content-spoofing vulnerability. Specific; text injection.
Example URL: https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com <https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com>
Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a package/module can’t be found - it will show a message, containing the searched module. I don’t think this is needed necessarily; if this is has been added to help developers, the solution might be to just load a message into wfDebugLog() instead showing the user the package name.
Is this something worth creating a MR or PR for? I’m willing to fix it.
Thanks in advance,
Youri
We received a e-mail form a client stating he found a content-spoofing vulnerability. Specific; text injection.
Example URL: https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com <https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com>
Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a package/module can’t be found - it will show a message, containing the searched module. I don’t think this is needed necessarily; if this is has been added to help developers, the solution might be to just load a message into wfDebugLog() instead showing the user the package name.
Is this something worth creating a MR or PR for? I’m willing to fix it.
Thanks in advance,
Youri