Dan Jacobson wrote:
D> $wgDBserver="mysql.$wgServerName";
P> I suppose you know what will be happening if someone finds a way to P> overwrite your $wgServerName variable...
How could that happen? $wgServerName is born in the safe confines of DefaultSettings.php.
I don't know, i wrote without even checking where was it set. It's a matter of making secure code. There are hundreds of exploits taking advantage of things the owner thought it "couldn't be done". Appending the result to a server on the default case is very bad. There's no need to do it in this way, so why do it? Tomorrow php could found a problem in the way $_REQUEST varaibles are used, compromising your system.
Let's focus on how $wgServer "is born in the safe confines":
#DefaulSettings if( isset( $_SERVER['SERVER_NAME'] ) ) { $wgServerName = $_SERVER['SERVER_NAME']; } elseif( isset( $_SERVER['HOSTNAME'] ) ) { $wgServerName = $_SERVER['HOSTNAME']; } elseif( isset( $_SERVER['HTTP_HOST'] ) ) { $wgServerName = $_SERVER['HTTP_HOST']; } elseif( isset( $_SERVER['SERVER_ADDR'] ) ) { $wgServerName = $_SERVER['SERVER_ADDR']; } else { $wgServerName = 'localhost'; }
It is built from one of several informations tthe server passes to it. What happens if you're using a server which doesn't give SERVER_NAME nor HOSTNAME to your script (the server doesn't support it or it is not being passed to the script if using FastCGI/Isapi/CGI...).
Then the value is taken from 'HTTP_HOST'. Notice the HTTP_ before? It's a parameter passed by the user on the http request. What happens if i send to the server X a request saying i'm quering it to server Y? If it uses Virtual Hosts, it will probably tell me there's no such domain on that server, but if the server is listening by ip, it could reach to the wiki. And now on the wiki i can arbitrary set your dbserver and steal your login data. There are a number of mitigating factors so you your wiki is probably not vulnerable, but you don't want to be if you change servers, do you?
On the line of "how could that happen?", you can read a report about an old mediawiki bug where ips were faked, the safe X-Forwarded-For provided by the squids was overwritten: http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report