Page MenuHomeMiraheze

Graph disabled globally
Open, Stalled, LowPublic

Description

Tracking task per https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/EWL4AGBEZEDMNNFTM4FRD4MHOU3CVESO and WMF Phabricator task https://phabricator.wikimedia.org/T334940 (public version of private task T334895)

Today it was identified that the Graph extension, which uses the older Vega 1 & Vega 2 libraries, had a number of security vulnerabilities.

In the interest of the security of our users, the Graph extension was disabled on Wikimedia wiki's. [...]

We recommend that any other third party users of the Graph extension should disable the use of that extension on their wikis.

A configuration change will suppress the exposed raw tags and graph json definition to avoid excess disruption to the end user experience when the extension is disabled. [2] This also provides a tracking category "Category:Pages with disabled graphs" showing the pages that used to contain graphs. [...]

MediaWiki.org page for Graph also suggests it be disabled.

Graph has been disabled globally in https://github.com/miraheze/mw-config/pull/5203 and a user notice placed in https://meta.miraheze.org/wiki/Tech:SRE_noticeboard#Graph_disabled

No details on how to exploit this have been released to the public so we don't know what exactly is the issue apart from a library vulnerability.

Event Timeline

Unknown Object (User) created this task.Apr 19 2023, 01:15

Don't we all love responsible disclosure? We can't even investigate this.

https://www.mediawiki.org/wiki/User:Legoktm wrote on https://www.mediawiki.org/wiki/Extension:Graph that the vulnerability is Cross-Site Scripting, which in the context of MediaWiki would mean that regular users without interface-admin can use the extension for sending arbitrary JavaScript to users. Compromised stuff includes session cookies and the ability to do almost whatever with the accounts.

Assuming that is correct, malicious actors could have used the extension to do whatever short of compromising stuff like passwords and TOTP secrets, as we don't load any of this stuff on restricted pages, but could have changed passwords and the such apparently (https://www.mediawiki.org/w/api.php?action=help&modules=changeauthenticationdata).

I would also like the note that I'm going off the default description for their XSS template. It could be a different way to deliver arbitrary JS to users instead of writing JavaScript directly in the article

Unknown Object (User) removed a subscriber: OrangeStar.May 9 2023, 16:12
Unknown Object (User) lowered the priority of this task from High to Normal.Jul 7 2023, 20:02
Unknown Object (User) changed the visibility from "Custom Policy" to "Public (No Login Required)".
Unknown Object (User) changed the edit policy from "Custom Policy" to "All Users".
Redmin changed the task status from Open to Stalled.Aug 6 2023, 14:42
Redmin added a project: Upstream.

Is there at least some wiki where it's enabled so that we can paste the code and take screenshots and replace the broken graphs?

No, it has significant security issues

This also provides a tracking category "Category:Pages with disabled graphs" showing the pages that used to contain graphs. [...]

This doesn't seem to be working? https://electowiki.org/wiki/Category:Pages_with_disabled_graphs is empty.

Looks like we can take the code between the <graph> tags and paste it into the old editor to generate PNG or SVG: https://vega.github.io/vega-editor/?mode=vega

Universal_Omega lowered the priority of this task from Normal to Low.Mar 23 2024, 06:41
Universal_Omega subscribed.

Please raise back to 'normal' when this is no longer stalled.