Hi,
We received a e-mail form a client stating he found a content-spoofing vulnerability.
Specific; text injection.
Example URL:
https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20…
<https://nl.wikipedia.org/w/load.php?modules=As%20we%20are%20experiencing%20too%20many%20requests%20Login%20from%20attacker.com>
Obviously, load.php is normally used to load mediawiki’s frontend modules; but whenever a
package/module can’t be found - it will show a message, containing the searched module. I
don’t think this is needed necessarily; if this is has been added to help developers, the
solution might be to just load a message into wfDebugLog() instead showing the user the
package name.
Is this something worth creating a MR or PR for? I’m willing to fix it.
Thanks in advance,
Youri