Ummm... Isn't that a register_globals vulnerability since you removed $wgProxyKey from DefaultSettings.php?
~Daniel Friesen(Dantman, Nadir-Seen-Fire) of: -The Nadir-Point Group (http://nadir-point.com) --It's Wiki-Tools subgroup (http://wiki-tools.com) --The ElectronicMe project (http://electronic-me.org) --Games-G.P.S. (http://ggps.org) -And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) --Animepedia (http://anime.wikia.com) --Narutopedia (http://naruto.wikia.com)
demon@svn.wikimedia.org wrote:
Revision: 40323 Author: demon Date: 2008-09-02 15:15:54 +0000 (Tue, 02 Sep 2008)
Log Message:
Fully deprecate $wgProxyKey. Has been marked as deprecated since 1.4, but never seems to have been done. Sites with $wgProxyKey set will continue to use the setting (added a fallback in Setup). Fixes bugs 9258 and 12089.
Modified: trunk/phase3/includes/Setup.php
--- trunk/phase3/includes/Setup.php 2008-09-02 02:11:50 UTC (rev 40322) +++ trunk/phase3/includes/Setup.php 2008-09-02 15:15:54 UTC (rev 40323) @@ -150,6 +150,10 @@ wfProfileOut( $fname.'-includes' ); wfProfileIn( $fname.'-misc1' );
+# Override SecretKey with ProxyKey if a site is using the old setting +if ( isset( $wgProxyKey ) ) {
- $wgSecretKey = $wgProxyKey;
+}
$wgIP = false; # Load on demand # Can't stub this one, it sets up $_GET and $_REQUEST in its constructor