Dan Jacobson wrote:
D> $wgDBserver="mysql.$wgServerName";
P> I suppose you know what will be happening if someone finds a way to
P> overwrite your $wgServerName variable...
How could that happen? $wgServerName is born in the safe confines of
DefaultSettings.php.
I don't know, i wrote without even checking where was it set. It's a
matter of making secure code. There are hundreds of exploits taking
advantage of things the owner thought it "couldn't be done".
Appending the result to a server on the default case is very bad.
There's no need to do it in this way, so why do it? Tomorrow php could
found a problem in the way $_REQUEST varaibles are used, compromising
your system.
Let's focus on how $wgServer "is born in the safe confines":
#DefaulSettings
if( isset( $_SERVER['SERVER_NAME'] ) ) {
$wgServerName = $_SERVER['SERVER_NAME'];
} elseif( isset( $_SERVER['HOSTNAME'] ) ) {
$wgServerName = $_SERVER['HOSTNAME'];
} elseif( isset( $_SERVER['HTTP_HOST'] ) ) {
$wgServerName = $_SERVER['HTTP_HOST'];
} elseif( isset( $_SERVER['SERVER_ADDR'] ) ) {
$wgServerName = $_SERVER['SERVER_ADDR'];
} else {
$wgServerName = 'localhost';
}
It is built from one of several informations tthe server passes to it.
What happens if you're using a server which doesn't give SERVER_NAME nor
HOSTNAME to your script (the server doesn't support it or it is not
being passed to the script if using FastCGI/Isapi/CGI...).
Then the value is taken from 'HTTP_HOST'. Notice the HTTP_ before? It's
a parameter passed by the user on the http request.
What happens if i send to the server X a request saying i'm quering it
to server Y? If it uses Virtual Hosts, it will probably tell me there's
no such domain on that server, but if the server is listening by ip, it
could reach to the wiki. And now on the wiki i can arbitrary set your
dbserver and steal your login data.
There are a number of mitigating factors so you your wiki is probably
not vulnerable, but you don't want to be if you change servers, do you?
On the line of "how could that happen?", you can read a report about an
old mediawiki bug where ips were faked, the safe X-Forwarded-For
provided by the squids was overwritten:
http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report