Page MenuHomeMiraheze

SecurityPolicy
ActivePublic

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

This project is used for tracking security related tasks (from TLS settings to system hardening, a broad scope). Tasks do not have to be private to qualify for this project's workboard. Please do not use this project as an access control list for security sensitive tasks, we have acl*security for that.

Members of this project are likely to be Miraheze's security contacts. A security contact can help you with information security related questions.

Recent Activity

Sat, Feb 10

Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Bugs on the ManageWiki board.
Sat, Feb 10, 17:20 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Short Term on the MediaWiki (SRE) board.
Sat, Feb 10, 17:19 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega changed the visibility for T11812: Numerous confirmed XSS in ManageWiki.
Sat, Feb 10, 17:19 · ManageWiki, Security, MediaWiki (SRE)

Fri, Feb 9

OrangeStar closed T11812: Numerous confirmed XSS in ManageWiki as Resolved.
Fri, Feb 9, 21:31 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Security advisory is now published. This task should be good for opening to the public now. For those reading this, we actually found some more XSS vectors when deploying the fixes to prod, so we actually have multiple patches in the GHSA for this one.

Fri, Feb 9, 21:31 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar claimed T11812: Numerous confirmed XSS in ManageWiki.
Fri, Feb 9, 21:16 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar placed T11812: Numerous confirmed XSS in ManageWiki up for grabs.

I just realized it will be better to just leave deploying the fixes to someone with access to mwtask181. Removing myself as assignee as my part is done, I think.

Fri, Feb 9, 14:58 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I've set confidentiality to high, since you could read private ManageWiki settings (for example, the Discord webhook for wikis using that extension) with XSS on those pages.

Fri, Feb 9, 12:22 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

Fri, Feb 9, 12:00 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I'm going to create a new draft GHSA, GitHub got bugged and thinks there are no changes waiting to be merged from the private fork sigh.

Fri, Feb 9, 11:42 · ManageWiki, Security, MediaWiki (SRE)
MacFan4000 changed the edit policy for T11814: Confirmed XSS in WikiDiscover.
Fri, Feb 9, 01:26 · WikiDiscover, Security, MediaWiki (SRE)

Thu, Feb 8

Universal_Omega changed the visibility for T11814: Confirmed XSS in WikiDiscover.
Thu, Feb 8, 20:32 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar closed T11814: Confirmed XSS in WikiDiscover as Resolved.

https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f is now published and the fix is live on the latest master. I believe this is task is now good for opening to the public

Thu, Feb 8, 20:27 · WikiDiscover, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11814: Confirmed XSS in WikiDiscover.

Fix for this one is pretty simple. @Universal_Omega I will need you to give me permission to make security advisories on WikiDiscover as well.

Thu, Feb 8, 19:59 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar claimed T11814: Confirmed XSS in WikiDiscover.

Fix for this one is pretty simple. @Universal_Omega I will also need you to give me permission to make security advisories on WikiDiscover.

Thu, Feb 8, 19:58 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar added a comment to T11814: Confirmed XSS in WikiDiscover.
<td class="TablePager_col_wiki_dbname"><a href="https://semantic-mediawiki.mirabeta.org">Semantic MediaWiki</a></td>
<td class="TablePager_col_wiki_language">English</td>
<td class="TablePager_col_wiki_closed">Open</td>
<td class="TablePager_col_wiki_private">Public</td>
<td class="TablePager_col_wiki_category">Software/Computing</td>
<td class="TablePager_col_wiki_creation">28 <script>alert('january')</script>"><script>alert('january')</script><x y="() 2022</td>
<td class="TablePager_col_wiki_description"> </td>
Thu, Feb 8, 19:41 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

security advisory draft (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-42fh-6pcr-3j58) is ready, all the changes have been made to the private fork if I'm not missing anything. Waiting for an SRE to review everything and give me the okay (or merge the changes themselves) so that they can double check my work and we can deploy the fixes to production as soon as possible.

Thu, Feb 8, 11:14 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Please do a security merge not a normal PR, should be fairly easy to do security with GitHub

Thu, Feb 8, 10:28 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I think I'm good to go to squash all of these and make a PR.

Thu, Feb 8, 10:25 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Thu, Feb 8, 10:20 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Adding all the messages that has an issue to wgRawHtmlMessages is a mitigation to this but it might be to complex with to many at this time.

Thu, Feb 8, 10:06 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

@Universal_Omega You mean making the help messages in MWS.php, like https://github.com/miraheze/mw-config/blob/master/ManageWikiSettings.php#L109, interface messages? Because if so that looks like a complex rewrite. Also, all of those messages as well as managewiki-requires, managewiki-conflicts, and all the various right-* messages from core that are also XSS vectors in the permissions subpage must be added to wgRawHtmlMessages. We can do that, if you want, but after this.

Thu, Feb 8, 09:51 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.
Thu, Feb 8, 09:34 · ManageWiki, Security, MediaWiki (SRE)

Wed, Feb 7

Universal_Omega added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I think what we should do is allow raw messages in MWS to be defined in config, and if it is, add them to $wgRawHtmlMessages, which prevents true security vulnerabilities by not only require editinterface, but also the same rights to editsitecss/js which would mean absolutely no difference from Common.js, etc...

Wed, Feb 7, 21:09 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Yeah there's no way my last patch is right.

Wed, Feb 7, 20:07 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Wed, Feb 7, 19:48 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Confirmed in Special:ManageWikiDefaultPermissions also

Wed, Feb 7, 19:47 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega updated subscribers of T11814: Confirmed XSS in WikiDiscover.
Wed, Feb 7, 19:40 · WikiDiscover, Security, MediaWiki (SRE)
Universal_Omega created T11814: Confirmed XSS in WikiDiscover.
Wed, Feb 7, 19:40 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

New patch superseding the other patch. Only thing missing is I think the XSS on the permissions subpage, which seems a bit more complex.

Wed, Feb 7, 19:34 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Also, just to clarify my previous message.

Wed, Feb 7, 19:09 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar claimed T11812: Numerous confirmed XSS in ManageWiki.

I think I know what is causing this, so I'll try to get this fixed tomorrow at the latest.

Wed, Feb 7, 19:06 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Assuming that patch fixes that for the extensions subpage, I can more or less make a theory (the form descriptor is passed around through so many functions that it is hard to keep track).

Wed, Feb 7, 18:58 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Looking at meta.miraheze.org, that is indeed supposed to be the "label" (it is not actually a label HTML element)

Wed, Feb 7, 18:42 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

https://github.com/miraheze/ManageWiki/blob/75510297a32ed8881c98212f29001d226f0a833e/includes/FormFactory/ManageWikiFormFactoryBuilder.php#L269 where required and conflicting extensions are added to the form.

Wed, Feb 7, 18:29 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

/extensions and /settings confirmed busted. /core doesn't give any alerts.

Wed, Feb 7, 17:50 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega updated the task description for T11812: Numerous confirmed XSS in ManageWiki.
Wed, Feb 7, 17:49 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega updated subscribers of T11812: Numerous confirmed XSS in ManageWiki.
Wed, Feb 7, 17:46 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega created T11812: Numerous confirmed XSS in ManageWiki.
Wed, Feb 7, 17:45 · ManageWiki, Security, MediaWiki (SRE)

Dec 31 2023

Redmin merged T11584: Score extension enabling into T5863: Re-enable score/Lillypond with Shellbox after security issues.
Dec 31 2023, 15:40 · Puppet, Configuration, MediaWiki (SRE), Security

Dec 20 2023

Paladox added a comment to T11549: Getting spam emails via Special:Contact.

I enabled captcha and changed the title to > 'Contact Form on ' . $wgSitename

Dec 20 2023, 13:05 · MediaWiki (SRE), MediaWiki
Legroom created T11549: Getting spam emails via Special:Contact.
Dec 20 2023, 10:16 · MediaWiki (SRE), MediaWiki

Nov 11 2023

Psephomancy added a comment to T10756: Graph disabled globally.

Looks like we can take the code between the <graph> tags and paste it into the old editor to generate PNG or SVG: https://vega.github.io/vega-editor/?mode=vega

Nov 11 2023, 14:21 · Upstream, MediaWiki (SRE), Security
Psephomancy added a comment to T10756: Graph disabled globally.

This also provides a tracking category "Category:Pages with disabled graphs" showing the pages that used to contain graphs. [...]

Nov 11 2023, 14:11 · Upstream, MediaWiki (SRE), Security
Psephomancy added a comment to T10756: Graph disabled globally.

https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)/Archive_205#Graph_extension_disabled_per_immediate_effect

Nov 11 2023, 14:05 · Upstream, MediaWiki (SRE), Security
RhinosF1 added a comment to T10756: Graph disabled globally.

No, it has significant security issues

Nov 11 2023, 13:50 · Upstream, MediaWiki (SRE), Security
Psephomancy added a comment to T10756: Graph disabled globally.

Is there at least some wiki where it's enabled so that we can paste the code and take screenshots and replace the broken graphs?

Nov 11 2023, 13:49 · Upstream, MediaWiki (SRE), Security
Redmin merged T11401: Graph extension not working on Electowiki into T10756: Graph disabled globally.
Nov 11 2023, 04:53 · Upstream, MediaWiki (SRE), Security

Aug 6 2023

Redmin changed the status of T10756: Graph disabled globally from Open to Stalled.
Aug 6 2023, 14:42 · Upstream, MediaWiki (SRE), Security

Jul 7 2023

Agent_Isai lowered the priority of T10756: Graph disabled globally from High to Normal.
Jul 7 2023, 20:02 · Upstream, MediaWiki (SRE), Security