Page MenuHomeMiraheze

Possible vulnerability of Special:IncidentReports
Closed, ResolvedPublic


I'm actually not sure what it is, but I do know that the incident reports vandalized by 2600:387:5:80d::b4 cannot be fixed nor displayed due to

[b62f836f40daa03fc146c69a] 2019-05-24 11:15:03: Fatal exception of type "Error"

or something alike. I think this is some sort of vulnerability lying in the function, and thus should be fixed immediately. Thanks in advance.

Event Timeline

Paladox added a subscriber: Paladox.May 24 2019, 11:39

2019-05-24 10:23:21 mw1 metawiki: [9b27a4ecb41a43dbbd47bf8b] /wiki/Special:IncidentReports/11/edit ErrorException from line 641 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: PHP Notice: A non well formed numeric value encountered

Paladox added a comment.May 24 2019, 12:02


2019-05-24 12:01:42 mw1 metawiki: [c564b622472bcff6f0f3ece4] /wiki/Special:IncidentReports/15/edit Error from line 56 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: Call to a member function getId() on boolean

Paladox added a subscriber: John.May 24 2019, 12:10

I have a fix, but before i deploy it i would like to speak to @John about restricting access to IR to only people who need to write reports.

John closed this task as Resolved.May 24 2019, 14:58
John claimed this task.

Thank you for your reasonable disclosure.

This was caused by a lack of permissions checking in IncidentReporting which I have now fixed.

As usual, please continue to report (potential) security related issues here.


John changed the visibility from "Custom Policy" to "Public (No Login Required)".May 24 2019, 14:58
John changed the edit policy from "Custom Policy" to "All Users".
John added a project: IncidentReporting.