Thanks for your reply, and what you said brings up an important point. The way I use the
variable is through only predifened values so I should be ok. Do you know of a
better/more safe way to get the subdomain then through the _SERVER["HTTP_HOST"]
variable? I also expected the upgrade "suggestion" ;).
Adam
-----Original Message-----
From: Brion Vibber [mailto:brion@pobox.com]
Sent: Monday, December 06, 2004 5:19 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Question about $wgServer Variable
On Dec 6, 2004, at 1:01 PM, Adam Edwards wrote:
My question is I overwrote the $wgServer variable in
my
LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and
preserve the subdomain. Does anyone know if this will mess anything
up?
This value is provided by the client, so it may be possible to exploit,
depending on your server configuration. Cache poisoning attacks with
HTML/JavaScript injections might be a possibility if it's not properly
sanitized in output.
You should ensure that the variable can only have certain predefined
values before using it in this way.
Oh yeah I'm using mediawiki-1.3.2.
Please upgrade to 1.3.8 immediately; there are numerous bug fixes and
some important security fixes.
-- brion vibber (brion @
pobox.com)