Page MenuHomePhabricator

Potential html injection when the database server isn't available
Closed, ResolvedPublic

Description

Bug for tracking the potential html injection when the database server isn't available fixed in r77422.

Wikis which set $wgServer in their LocalSettings or are in a virtual
host would never be vulnerable.

For sites which show the wiki in the default host, it will depend on how
forgiving is their webserver and php stack for that garbled input, although some kind of foolable proxy —moreover wrongly caching errors (or the default output buffering is disabled and something incorrectly sent a previous text)— would also need to be present in order to make that useful for a potential attacker.


Version: 1.17.x
Severity: normal

Details

Reference
bz26164

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:24 PM
bzimport set Reference to bz26164.
bzimport added a subscriber: Unknown Object (MLST).