Hi,
We received a e-mail form a client stating he found a content-spoofing vulnerability. Specific; text injection.
Example URL: https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20t... https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com
Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a package/module can’t be found - it will show a message, containing the searched module. I don’t think this is needed necessarily; if this is has been added to help developers, the solution might be to just load a message into wfDebugLog() instead showing the user the package name.
Is this something worth creating a MR or PR for? I’m willing to fix it.
Thanks in advance,
Youri
Thanks for the note. We do not consider this to be a security vulnerability. People using automated scanners occasionally report this as a problem, but it's harmless. See for example discussion here: https://phabricator.wikimedia.org/T228544
mediawiki-l@lists.wikimedia.org