Page MenuHomeMiraheze

Possible vulnerability of Special:IncidentReports
Closed, ResolvedPublic

Description

I'm actually not sure what it is, but I do know that the incident reports vandalized by 2600:387:5:80d::b4 cannot be fixed nor displayed due to

[b62f836f40daa03fc146c69a] 2019-05-24 11:15:03: Fatal exception of type "Error"

or something alike. I think this is some sort of vulnerability lying in the function, and thus should be fixed immediately. Thanks in advance.

Event Timeline

Paladox added a subscriber: Paladox.May 24 2019, 11:39

2019-05-24 10:23:21 mw1 metawiki: [9b27a4ecb41a43dbbd47bf8b] /wiki/Special:IncidentReports/11/edit ErrorException from line 641 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: PHP Notice: A non well formed numeric value encountered

Paladox added a comment.May 24 2019, 12:02

Actually

2019-05-24 12:01:42 mw1 metawiki: [c564b622472bcff6f0f3ece4] /wiki/Special:IncidentReports/15/edit Error from line 56 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: Call to a member function getId() on boolean

Paladox added a subscriber: John.May 24 2019, 12:10

I have a fix, but before i deploy it i would like to speak to @John about restricting access to IR to only people who need to write reports.

John closed this task as Resolved.May 24 2019, 14:58
John claimed this task.

Thank you for your reasonable disclosure.

This was caused by a lack of permissions checking in IncidentReporting which I have now fixed.

As usual, please continue to report (potential) security related issues here.

Thanks,
John

John changed the visibility from "Custom Policy" to "Public (No Login Required)".May 24 2019, 14:58
John changed the edit policy from "Custom Policy" to "All Users".
John added a project: IncidentReporting.