Page MenuHomeMiraheze

SecurityPolicy
ActivePublic

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

This project is used for tracking security related tasks (from TLS settings to system hardening, a broad scope). Tasks do not have to be private to qualify for this project's workboard. Please do not use this project as an access control list for security sensitive tasks, we have acl*security for that.

Members of this project are likely to be Miraheze's security contacts. A security contact can help you with information security related questions.

Recent Activity

Wed, Mar 27

OrangeStar changed the visibility for T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.
Wed, Mar 27, 20:05 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar closed T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta as Resolved.
Wed, Mar 27, 19:47 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar claimed T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.
Wed, Mar 27, 19:04 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar updated the task description for T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.
Wed, Mar 27, 17:16 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar renamed T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta from Leak of suppressed wiki requests via Special:RequestWikiQueue on outside of Meta to Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.
Wed, Mar 27, 16:55 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar renamed T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta from Leak of suppressed wiki requests via Special:RequestWikiQueue on non-Meta wikis to Leak of suppressed wiki requests via Special:RequestWikiQueue on outside of Meta.
Wed, Mar 27, 15:36 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar added a comment to T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.

https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq

Wed, Mar 27, 14:57 · MediaWiki (SRE), OrangeStar, CreateWiki, Security
OrangeStar created T11999: Leak of suppressed wiki requests via Special:RequestWikiQueue outside of Meta.
Wed, Mar 27, 14:03 · MediaWiki (SRE), OrangeStar, CreateWiki, Security

Tue, Mar 26

OrangeStar added a comment to T11993: CreateWiki suppression is broken.

GHSA published, CVE ID CVE-2024-29883 has been assigned to it.

Tue, Mar 26, 13:11 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar added projects to T11993: CreateWiki suppression is broken: OrangeStar, CreateWiki, MediaWiki (SRE).
Tue, Mar 26, 12:24 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar changed the visibility for T11993: CreateWiki suppression is broken.
Tue, Mar 26, 12:20 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar closed T11993: CreateWiki suppression is broken as Resolved.
Tue, Mar 26, 11:50 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar added a comment to T11993: CreateWiki suppression is broken.

Fixed. GHSA will be published shortly.

Tue, Mar 26, 11:50 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar added a comment to T11993: CreateWiki suppression is broken.

https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

Tue, Mar 26, 11:06 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar updated the task description for T11993: CreateWiki suppression is broken.
Tue, Mar 26, 10:55 · MediaWiki (SRE), CreateWiki, OrangeStar, Security
OrangeStar created T11993: CreateWiki suppression is broken.
Tue, Mar 26, 10:54 · MediaWiki (SRE), CreateWiki, OrangeStar, Security

Sat, Mar 23

Universal_Omega lowered the priority of T10756: Graph disabled globally from Normal to Low.

Please raise back to 'normal' when this is no longer stalled.

Sat, Mar 23, 06:41 · Upstream, MediaWiki (SRE), Security

Mar 14 2024

Universal_Omega added a project to T11925: OrangeStar's LDAP account & Graylog access: Infrastructure (SRE).
Mar 14 2024, 19:32 · Infrastructure (SRE), Security
Universal_Omega changed the visibility for T11925: OrangeStar's LDAP account & Graylog access.
Mar 14 2024, 19:31 · Infrastructure (SRE), Security
Universal_Omega closed T11925: OrangeStar's LDAP account & Graylog access as Resolved.

I have removed other ldap accounts access.

Mar 14 2024, 19:30 · Infrastructure (SRE), Security

Mar 5 2024

Universal_Omega added a comment to T11925: OrangeStar's LDAP account & Graylog access.

Yes, in particular we need to investigate if it was disabled for John, Paladox, and Owen's LDAP accounts. So until then this should remain open.

Mar 5 2024, 17:50 · Infrastructure (SRE), Security
OrangeStar added a comment to T11925: OrangeStar's LDAP account & Graylog access.

Jank with the LDAP extension? Anyway, the reason this task was opened is solved now ig. However, @Universal_Omega said that other LDAP accounts should be investigated, so I guess this should be kept open or more likely, done in a separate maniphest task, since as a SWE I don't really have a need to know that information.

Mar 5 2024, 16:20 · Infrastructure (SRE), Security
MacFan4000 added a comment to T11925: OrangeStar's LDAP account & Graylog access.

I also don’t see users listed in my groups in preferences. Anyway, I’ve added you to the member group.

Mar 5 2024, 16:08 · Infrastructure (SRE), Security
MacFan4000 added a comment to T11925: OrangeStar's LDAP account & Graylog access.

Must be some sort of bug, since you should by default be a “User”.

Mar 5 2024, 16:03 · Infrastructure (SRE), Security
OrangeStar added a comment to T11925: OrangeStar's LDAP account & Graylog access.

image.png (377×1 px, 56 KB)

Mar 5 2024, 15:15 · Infrastructure (SRE), Security

Mar 4 2024

MacFan4000 updated subscribers of T11925: OrangeStar's LDAP account & Graylog access.

For the record, since you have an NDA and test151 access, I personally have no issue with you having Graylog/Ldap access, but this is an issue since offboarding seems to have not been done correctly and this is something we should review for other ldap accounts as well.

Mar 4 2024, 20:24 · Infrastructure (SRE), Security
MacFan4000 added a comment to T11925: OrangeStar's LDAP account & Graylog access.

Hmm according to https://ldapwiki.miraheze.org/wiki/Special:ListGroupRights logged in users have the read permission

Mar 4 2024, 20:17 · Infrastructure (SRE), Security
OrangeStar added a comment to T11925: OrangeStar's LDAP account & Graylog access.

Should grant me access to ldapwikiwiki then. It is a private wiki, other than view the main page, I can do literally nothing else (MacFan4000 removed the bureaucrat group from my LDAP account when I resigned iirc).

Mar 4 2024, 18:30 · Infrastructure (SRE), Security
Universal_Omega added a comment to T11925: OrangeStar's LDAP account & Graylog access.

For the record, since you have an NDA and test151 access, I personally have no issue with you having Graylog/Ldap access, but this is an issue since offboarding seems to have not been done correctly and this is something we should review for other ldap accounts as well.

Mar 4 2024, 17:15 · Infrastructure (SRE), Security
OrangeStar updated the task description for T11925: OrangeStar's LDAP account & Graylog access.
Mar 4 2024, 15:15 · Infrastructure (SRE), Security
OrangeStar created T11925: OrangeStar's LDAP account & Graylog access.
Mar 4 2024, 15:14 · Infrastructure (SRE), Security

Feb 10 2024

Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Bugs on the ManageWiki board.
Feb 10 2024, 17:20 · ManageWiki, MediaWiki (SRE), Security
Universal_Omega moved T11812: Numerous confirmed XSS in ManageWiki from Backlog to Short Term on the MediaWiki (SRE) board.
Feb 10 2024, 17:19 · ManageWiki, MediaWiki (SRE), Security
Universal_Omega changed the visibility for T11812: Numerous confirmed XSS in ManageWiki.
Feb 10 2024, 17:19 · ManageWiki, MediaWiki (SRE), Security

Feb 9 2024

OrangeStar closed T11812: Numerous confirmed XSS in ManageWiki as Resolved.
Feb 9 2024, 21:31 · ManageWiki, MediaWiki (SRE), Security
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Security advisory is now published. This task should be good for opening to the public now. For those reading this, we actually found some more XSS vectors when deploying the fixes to prod, so we actually have multiple patches in the GHSA for this one.

Feb 9 2024, 21:31 · ManageWiki, MediaWiki (SRE), Security
OrangeStar claimed T11812: Numerous confirmed XSS in ManageWiki.
Feb 9 2024, 21:16 · ManageWiki, MediaWiki (SRE), Security
OrangeStar placed T11812: Numerous confirmed XSS in ManageWiki up for grabs.

I just realized it will be better to just leave deploying the fixes to someone with access to mwtask181. Removing myself as assignee as my part is done, I think.

Feb 9 2024, 14:58 · ManageWiki, MediaWiki (SRE), Security
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I've set confidentiality to high, since you could read private ManageWiki settings (for example, the Discord webhook for wikis using that extension) with XSS on those pages.

Feb 9 2024, 12:22 · ManageWiki, MediaWiki (SRE), Security
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

Feb 9 2024, 12:00 · ManageWiki, MediaWiki (SRE), Security
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I'm going to create a new draft GHSA, GitHub got bugged and thinks there are no changes waiting to be merged from the private fork sigh.

Feb 9 2024, 11:42 · ManageWiki, Security, MediaWiki (SRE)
MacFan4000 changed the edit policy for T11814: Confirmed XSS in WikiDiscover.
Feb 9 2024, 01:26 · WikiDiscover, Security, MediaWiki (SRE)

Feb 8 2024

Universal_Omega changed the visibility for T11814: Confirmed XSS in WikiDiscover.
Feb 8 2024, 20:32 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar closed T11814: Confirmed XSS in WikiDiscover as Resolved.

https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f is now published and the fix is live on the latest master. I believe this is task is now good for opening to the public

Feb 8 2024, 20:27 · WikiDiscover, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11814: Confirmed XSS in WikiDiscover.

Fix for this one is pretty simple. @Universal_Omega I will need you to give me permission to make security advisories on WikiDiscover as well.

Feb 8 2024, 19:59 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar claimed T11814: Confirmed XSS in WikiDiscover.

Fix for this one is pretty simple. @Universal_Omega I will need you to give me permission to make security advisories on WikiDiscover as well.

Feb 8 2024, 19:58 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar added a comment to T11814: Confirmed XSS in WikiDiscover.
<td class="TablePager_col_wiki_dbname"><a href="https://semantic-mediawiki.mirabeta.org">Semantic MediaWiki</a></td>
<td class="TablePager_col_wiki_language">English</td>
<td class="TablePager_col_wiki_closed">Open</td>
<td class="TablePager_col_wiki_private">Public</td>
<td class="TablePager_col_wiki_category">Software/Computing</td>
<td class="TablePager_col_wiki_creation">28 <script>alert('january')</script>"><script>alert('january')</script><x y="() 2022</td>
<td class="TablePager_col_wiki_description"> </td>
Feb 8 2024, 19:41 · WikiDiscover, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

security advisory draft (https://github.com/miraheze/ManageWiki/security/advisories/GHSA-42fh-6pcr-3j58) is ready, all the changes have been made to the private fork if I'm not missing anything. Waiting for an SRE to review everything and give me the okay (or merge the changes themselves) so that they can double check my work and we can deploy the fixes to production as soon as possible.

Feb 8 2024, 11:14 · ManageWiki, Security, MediaWiki (SRE)
Universal_Omega added a comment to T11812: Numerous confirmed XSS in ManageWiki.

Please do a security merge not a normal PR, should be fairly easy to do security with GitHub

Feb 8 2024, 10:28 · ManageWiki, Security, MediaWiki (SRE)
OrangeStar added a comment to T11812: Numerous confirmed XSS in ManageWiki.

I think I'm good to go to squash all of these and make a PR.

Feb 8 2024, 10:25 · ManageWiki, Security, MediaWiki (SRE)