Hi, We received a e-mail form a client stating he found a content-spoofing vulnerability. Specific; text injection.
Example URL: https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com <https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com> Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a package/module can’t be found - it will show a message, containing the searched module. I don’t think this is needed necessarily; if this is has been added to help developers, the solution might be to just load a message into wfDebugLog() instead showing the user the package name. Is this something worth creating a MR or PR for? I’m willing to fix it. Thanks in advance, Youri
_______________________________________________ MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org To unsubscribe send an email to mediawiki-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
