Mailing List Archive: Wikipedia: Foundation

Security holes in Mediawiki

Index | Next | Previous | View Threaded

thekohser at gmail

Sep 15, 2009, 10:38 AM

Post #1 of 4 (654 views)
Permalink

Security holes in Mediawiki

I was sort of surprised to learn today that Mediawiki software has had 37
security holes identified:

http://akahele.org/2009/09/false-sense-of-security/

Are most of these patched now, or are they still open? If still open, is
the Foundation making site & user security more of a priority in 2010?

--
Gregory Kohs
_______________________________________________
foundation-l mailing list
foundation-l [at] lists
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l

george.herbert at gmail

Sep 15, 2009, 10:51 AM

Post #2 of 4 (608 views)
Permalink

Re: Security holes in Mediawiki [In reply to]

On Tue, Sep 15, 2009 at 10:38 AM, Gregory Kohs <thekohser [at] gmail> wrote:
> I was sort of surprised to learn today that Mediawiki software has had 37
> security holes identified:
>
> http://akahele.org/2009/09/false-sense-of-security/
>
> Are most of these patched now, or are they still open? If still open, is
> the Foundation making site & user security more of a priority in 2010?

From the report:
"Multiple cross-site scripting (XSS) vulnerabilities in the web-based
installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12
before 1.12.4, and 1.13 before 1.13.4, when the installer is in active
use, allow remote attackers to inject arbitrary web script or HTML via
unspecified vectors."

MediaWiki's current stable version is 1.15.1, which has been out for 2
months now. En.wikipedia.org is running on 1.16alpha.

There being security holes in software is a given. Them being there
negligently is an issue. But them being there is not. Holes in
software which is years old is not news - the newer versions have been
patched, appropriately and responsibly.

Are there issues with current MW? Sure. 26 open issues a la the raw
report above? No. That's an accumulation of issues in older
versions, which are either all or nearly all patched now.

MediaWiki is not felt by the wider open source or security communities
to be a particularly bad (or super strong) open source product. The
programming team is, however, very responsive to security issues... as
one has to be if one is running a top-10 internet site, because anyone
who can hack it will just for the cred.

This is not a nonissue - any open source dev team and any large
website ops team have to be focused on this as one of many high
priorities - but it's not a huge gotcha. It's not new, it's not big
news, and it's not suprising. Security holes (regretfully and
unfortunately) happen. Security is keeping up to date and fixing them
when they are discovered.

--
-george william herbert
george.herbert [at] gmail

_______________________________________________
foundation-l mailing list
foundation-l [at] lists
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l

midom.lists at gmail

Sep 15, 2009, 10:57 AM

Post #3 of 4 (614 views)
Permalink

Re: Security holes in Mediawiki [In reply to]

Hello Gregory,

> I was sort of surprised to learn today that Mediawiki software has
> had 37
> security holes identified:

Why would you be surprised? It is web software, that allows _most_
flexibility for its users, you can expect most problems because of
that, especially in XSS area.
On the other hand, most of those identified vulnerabilities are ones
published about _after_ they get fixed and releases delivered.

You should probably ask about actual vulnerabilities in other mailing
lists, but it would be even better, if you did some basic research
first. Posting walls of text to your blog and redirecting people there
isn't constructive.

And by the way, our site security is getting better and better, once
upon a time anyone could edit.

Domas

_______________________________________________
foundation-l mailing list
foundation-l [at] lists
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l

andrew.gray at dunelm

Sep 15, 2009, 10:59 AM

Post #4 of 4 (608 views)
Permalink

Re: Security holes in Mediawiki [In reply to]

2009/9/15 Gregory Kohs <thekohser [at] gmail>:
> I was sort of surprised to learn today that Mediawiki software has had 37
> security holes identified:
>
> http://akahele.org/2009/09/false-sense-of-security/
>
> Are most of these patched now, or are they still open? If still open, is
> the Foundation making site & user security more of a priority in 2010?

The most recent one (the only 2009 notice) which that blog links to is
explicitly resolved;

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0737
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

Note that it was entered into the database on 25 February, two weeks
after solution and marked as not affecting the most recent release
version on the same day. Skimming down the list, it looks like most of
them are in the same boat -

CVE-2008-5688: "MediaWiki 1.8.1, and other versions before 1.13.3,
when the wgShowExceptionDetails variable is enabled..."

CVE-2008-5687: "MediaWiki 1.11, and other versions before 1.13.3, does
not properly protect against the download of backups of deleted
images..."

The database appears to record *known* problems in all versions of the
software, rather than just "open problems". I haven't checked each
one, but all the recent ones look solved, so I think we're safe - at
least, safe from the problems we know about, which is always the
important caveat!

--
- Andrew Gray
andrew.gray [at] dunelm

_______________________________________________
foundation-l mailing list
foundation-l [at] lists
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads