[Mediawiki-l] Security - MediaWiki 1.9.2

Kasimir Gabert kasimir.g at gmail.com
Wed Mar 7 23:43:37 UTC 2007 

Hello Roger,

What you did is you escaped from running the PHP command to having it
be HTML.  This will happen any time you have ?> not escaped in PHP.
It is not a flaw for most PHP use, but it can be if you escape out of
it before showing a password or something similar.  To get around
this, move the ?> away from each other.

I hope that this helps,
Kasimir

On 3/7/07, Roger Chrisman <roger at rogerchrisman.com> wrote:
> I just had a scare...
>
> My LocalSettings.php file *displayed in the browser* at top of any wiki
> page view! (Actually I only saw it at top of Main_page and top of
> Search results page before I panicked and reverted the edit in
> LocalSettings.php that had caused this.)
>
> What happened
> ---------------------
>
> In LocalSettings.php I had edited my $wgSpamRegex from this:
>
> $wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|
> height)\s*:.*?>/i";
>
> to this which caused this line and all below it in LocalSettings.php to
> show in browser!:
>
> $wgSpamRegex = "/(Tramadol|\<.*style.*?(display|position|overflow|
> visibility|height)\s*:.*?>)/i";
>
>
> Both entries were single lines of course; line breaks here for email.
>
> Did I screwed up the Regex while adding "(Tramadol|" and ")" to it?
>
> Why did the new $wgSpamRegex line and everything below it in
> LocalSettings.php show up at top of *wiki page views in browser
> (Konqueror) window*?
>
> Luckily my MySQL pw and username are *above* that in LocalSettings.php
> so they did not get out.
>
> I'm running the wiki, http://Wikigogy.org, with default MediaWiki and no
> extensions on a commercial web host and viewed it from home in
> Konqueror browser.
>
> * MediaWiki: 1.9.2
> * PHP: 5.2.1 (cgi)
> * MySQL: 4.1.21-standard-log
>
> I keep LocalSettings.php mode 600 and owned my myself.
>
> How did half of it get out?
>
> --
> Roger Chrisman  :-)          http://Wikigogy.org    -     free resources
>                  for teachers of English as a second or foreign language
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


-- 
Kasimir Gabert

More information about the MediaWiki-l mailing list