Page MenuHomeMiraheze
Feed Advanced Search

Fri, Jul 12

John claimed T4468: Verify if PageDisqus has reflective XSS.
Fri, Jul 12, 14:06 · Security, Extension-Review
John closed T4468: Verify if PageDisqus has reflective XSS as Invalid.

No XSS.

Fri, Jul 12, 14:05 · Security, Extension-Review

Thu, Jul 4

AmandaCath added a comment to T4196: stunnel not verifying backend certificates?.

Obviously just seeing this now... @NDKilla one of the conditions in my Herald rule is to automatically add my project tag to any task that is UBN priority.

Thu, Jul 4, 00:24 · Security

Wed, Jul 3

Southparkfan changed the visibility for T4196: stunnel not verifying backend certificates?.
Wed, Jul 3, 23:26 · Security
Southparkfan closed T4196: stunnel not verifying backend certificates? as Declined.

Non-existent issue.

Wed, Jul 3, 18:31 · Security

Jun 13 2019

Southparkfan created T4468: Verify if PageDisqus has reflective XSS.
Jun 13 2019, 22:31 · Security, Extension-Review

May 24 2019

John added a project to T4415: Possible vulnerability of Special:IncidentReports: IncidentReporting.
May 24 2019, 14:58 · IncidentReporting, Security
John closed T4415: Possible vulnerability of Special:IncidentReports as Resolved.

Thank you for your reasonable disclosure.

May 24 2019, 14:58 · IncidentReporting, Security
Paladox updated subscribers of T4415: Possible vulnerability of Special:IncidentReports.

I have a fix, but before i deploy it i would like to speak to @John about restricting access to IR to only people who need to write reports.

May 24 2019, 12:10 · IncidentReporting, Security
Paladox added a comment to T4415: Possible vulnerability of Special:IncidentReports.

2019-05-24 12:01:42 mw1 metawiki: [c564b622472bcff6f0f3ece4] /wiki/Special:IncidentReports/15/edit Error from line 56 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: Call to a member function getId() on boolean

May 24 2019, 12:02 · IncidentReporting, Security
Paladox added a comment to T4415: Possible vulnerability of Special:IncidentReports.

2019-05-24 10:23:21 mw1 metawiki: [9b27a4ecb41a43dbbd47bf8b] /wiki/Special:IncidentReports/11/edit ErrorException from line 641 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: PHP Notice: A non well formed numeric value encountered

May 24 2019, 11:39 · IncidentReporting, Security
The_Pioneer created T4415: Possible vulnerability of Special:IncidentReports.
May 24 2019, 11:17 · IncidentReporting, Security

May 23 2019

Southparkfan removed a member for Security: MacFan4000.
May 23 2019, 22:45

May 20 2019

John added a comment to T4005: Execute external commands on MediaWiki servers inside sandboxes.

It’s a task related to security but not exploitable because we review all extensions to minimise all risks

May 20 2019, 18:11 · Operations, Security, MediaWiki
AmandaCath added a comment to T4005: Execute external commands on MediaWiki servers inside sandboxes.

Why do we have a task flagged as a security issue that is public? Should the tag be removed, or should this task be hidden?

May 20 2019, 17:53 · Operations, Security, MediaWiki

May 14 2019

John closed T4004: Replace exec statements with Shell::command (MediaWiki's Shell Framework), a subtask of T4005: Execute external commands on MediaWiki servers inside sandboxes, as Resolved.
May 14 2019, 22:10 · Operations, Security, MediaWiki

May 11 2019

John changed the edit policy for T4358: Wiki owner/crat can gain oversight access.
May 11 2019, 10:18 · Security
John closed T4358: Wiki owner/crat can gain oversight access as Resolved.

Thank you for bringing this to our attention responsibly. The issue has now been fixed with https://github.com/miraheze/mw-config/commit/c934d439fa13624148b5c7e4570fabb097a73919.

May 11 2019, 10:18 · Security
Bonnedav created T4358: Wiki owner/crat can gain oversight access.
May 11 2019, 09:18 · Security

May 1 2019

John changed the edit policy for T4306: DiscordNotifications publishes items from the suppressionlog.
May 1 2019, 00:53 · Upstream, Security
John closed T4306: DiscordNotifications publishes items from the suppressionlog as Resolved.
May 1 2019, 00:48 · Upstream, Security

Apr 26 2019

John closed T4322: Enable Support for TLSv1.3 as Resolved.

In theory we do. Task enquires no action, will be resolved automatically with time.

Apr 26 2019, 21:02 · Operations, MacFan4000
Paladox added a comment to T4322: Enable Support for TLSv1.3.

Yup, hence " (but it's not used due to the openssl version we have)." :)

Apr 26 2019, 18:14 · Operations, MacFan4000
MacFan4000 changed the edit policy for T4322: Enable Support for TLSv1.3.
Apr 26 2019, 18:10 · Operations, MacFan4000
MacFan4000 added a comment to T4322: Enable Support for TLSv1.3.

When I ran an SSL check it said that 1.3 wasn’t supported.

Apr 26 2019, 18:09 · Operations, MacFan4000
Paladox added a comment to T4322: Enable Support for TLSv1.3.

^^, secondly we have enabled tls 1.3 in nginx (but it's not used due to the openssl version we have).

Apr 26 2019, 17:50 · Operations, MacFan4000
Southparkfan added a comment to T4322: Enable Support for TLSv1.3.

Why is this a private task?

Apr 26 2019, 16:57 · Operations, MacFan4000
MacFan4000 updated subscribers of T4322: Enable Support for TLSv1.3.
Apr 26 2019, 16:26 · Operations, MacFan4000
Herald added a project to T4322: Enable Support for TLSv1.3: MacFan4000.
Apr 26 2019, 16:25 · Operations, MacFan4000

Apr 20 2019

NDKilla added a comment to T4306: DiscordNotifications publishes items from the suppressionlog.

Upstreamed here

Apr 20 2019, 14:55 · Upstream, Security
John added a comment to T4306: DiscordNotifications publishes items from the suppressionlog.

This should definitely be reported upstream.

Apr 20 2019, 14:26 · Upstream, Security
NDKilla created T4306: DiscordNotifications publishes items from the suppressionlog.
Apr 20 2019, 04:58 · Upstream, Security

Apr 18 2019

idris updated the task description for T4301: "setting-wgAccountCreationThrottle" and "setting-wgMaxImageArea" appearing in ManageWiki log.
Apr 18 2019, 13:40 · Configuration
idris created T4301: "setting-wgAccountCreationThrottle" and "setting-wgMaxImageArea" appearing in ManageWiki log.
Apr 18 2019, 13:40 · Configuration

Apr 5 2019

Paladox added a comment to T4241: Help!!! Wiki site overtaken? .

@Internet_Governance_Forum_Germany could you try again please, i think i fixed your perms.

Apr 5 2019, 14:09 · MediaWiki
Paladox updated subscribers of T4241: Help!!! Wiki site overtaken? .
Apr 5 2019, 14:08 · MediaWiki
Internet_Governance_Forum_Germany added a comment to T4241: Help!!! Wiki site overtaken? .

Hi,
by now all pages of the wiki are restricted and I cannot see what is happening. I am assuming that this is a malicious attack and request to block all users.
Please, help us. We are in the middle of a collaborative event process and now the outside world cannot reach and check.
Many thanks in advance!

Apr 5 2019, 13:54 · MediaWiki
Paladox added a comment to T4241: Help!!! Wiki site overtaken? .

Hi, thanks for notifying us. We are looking into this.

Apr 5 2019, 13:50 · MediaWiki
Internet_Governance_Forum_Germany created T4241: Help!!! Wiki site overtaken? .
Apr 5 2019, 12:02 · MediaWiki

Mar 22 2019

Paladox added a comment to T4208: Custom domain issue.

Well, the user cannot add wiki.abc.com (if they don't own the domain) we verify this by generate a ssl cert before linking a wiki. If you doin't own the domain then the cert generation will fail because the domain will be pointing at the wrong nameservers where the cname is.

Mar 22 2019, 23:24 · MediaWiki
Redsoda created T4208: Custom domain issue.
Mar 22 2019, 10:37 · MediaWiki

Mar 13 2019

Southparkfan lowered the priority of T4196: stunnel not verifying backend certificates? from Unbreak Now! to High.

I have a hard time understanding how stunnel works with the backend server with regards to certificates. I have not been able to prove (in)valid verification by stunnel.

Mar 13 2019, 18:35 · Security
NDKilla added a comment to T4196: stunnel not verifying backend certificates?.
In T4196#80101, @John wrote:

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

No it did not.

Mar 13 2019, 16:47 · Security
John added a comment to T4196: stunnel not verifying backend certificates?.

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

Mar 13 2019, 16:36 · Security
NDKilla added a comment to T4196: stunnel not verifying backend certificates?.

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

Mar 13 2019, 16:27 · Security
Paladox removed a project from T4196: stunnel not verifying backend certificates?: Amanda Catherine.
Mar 13 2019, 15:57 · Security
Southparkfan added a comment to T4196: stunnel not verifying backend certificates?.

Looking into this now..

Mar 13 2019, 15:32 · Security
Southparkfan raised the priority of T4196: stunnel not verifying backend certificates? from High to Unbreak Now!.
Mar 13 2019, 15:27 · Security
Southparkfan created T4196: stunnel not verifying backend certificates?.
Mar 13 2019, 15:27 · Security

Feb 8 2019

Eduaddad triaged T4090: error in my account as Normal priority.
Feb 8 2019, 19:26 · Configuration

Jan 31 2019

Void added a comment to T4064: Abuse filter rangeblocks reveal user information.

Regardless, we've disabled the feature in https://git.io/fhyHl.

Jan 31 2019, 23:40 · Security
John closed T4064: Abuse filter rangeblocks reveal user information as Invalid.
Jan 31 2019, 23:38 · Security
John added a comment to T4064: Abuse filter rangeblocks reveal user information.

But we do this? User + range blocking. Though /16s are WAY too large to block automatically.

Jan 31 2019, 23:25 · Security
Paladox added a comment to T4064: Abuse filter rangeblocks reveal user information.

Reported here https://phabricator.wikimedia.org/T215044

Jan 31 2019, 23:25 · Security
Void created T4064: Abuse filter rangeblocks reveal user information.
Jan 31 2019, 23:18 · Security

Jan 28 2019

John changed the edit policy for T4046: Social Profile allows admins to change other user's email addresses.
Jan 28 2019, 20:33 · Security
John closed T4046: Social Profile allows admins to change other user's email addresses as Resolved.

Already public anyway.

Jan 28 2019, 20:32 · Security

Jan 27 2019

Paladox added a comment to T4046: Social Profile allows admins to change other user's email addresses.

+1 too ^^

Jan 27 2019, 22:15 · Security
Southparkfan added a comment to T4046: Social Profile allows admins to change other user's email addresses.

This seems done, time to make this task public?

Jan 27 2019, 21:57 · Security

Jan 25 2019

Southparkfan added a comment to T4046: Social Profile allows admins to change other user's email addresses.

Notices have been put on Meta, Facebook and Twitter. Emails have been sent out as necessary.

Jan 25 2019, 21:24 · Security
Paladox updated subscribers of T4046: Social Profile allows admins to change other user's email addresses.
Jan 25 2019, 15:07 · Security
Paladox added a watcher for Security: Paladox.
Jan 25 2019, 15:07
Paladox added a member for Security: labster.
Jan 25 2019, 15:07
Paladox added a comment to T4046: Social Profile allows admins to change other user's email addresses.

Also the dutch authorities will have to be told too.

Jan 25 2019, 14:39 · Security
Southparkfan added a comment to T4046: Social Profile allows admins to change other user's email addresses.

The issue has been identified and fixed and a list of affected wikis has been generated by @Paladox.

Jan 25 2019, 10:39 · Security

Jan 24 2019

Void added a comment to T4046: Social Profile allows admins to change other user's email addresses.

If it helps, I discovered this by accidentally stripping the email from two or three spambot accounts on allthetropeswiki.

Jan 24 2019, 13:42 · Security
Southparkfan removed a project from T4046: Social Profile allows admins to change other user's email addresses: Amanda Catherine.
Jan 24 2019, 12:00 · Security
Southparkfan changed the visibility for T4046: Social Profile allows admins to change other user's email addresses.
Jan 24 2019, 12:00 · Security
Southparkfan raised the priority of T4046: Social Profile allows admins to change other user's email addresses from High to Unbreak Now!.

Confirmed so far: this right was assigned to the 'sysop' group on all wikis with this extension enabled (as of this moment 86 wikis) since February 8, 2017.

Jan 24 2019, 11:59 · Security
John added a comment to T4046: Social Profile allows admins to change other user's email addresses.

You’d have to make a maint script to do and it’s easier to make a maintenance script loop all groups then modify a single purpose function to do the job.

Jan 24 2019, 10:30 · Security
Void added a comment to T4046: Social Profile allows admins to change other user's email addresses.

As a followup to this task, we're thinking of modifying modifyGroupPermission.php so that it can remove a permission from all groups that contain it. This would make it easier to strip the right, as currently there are still wikis that have it. Hence https://git.io/fhwOy was done as a temporary measure.

Jan 24 2019, 04:58 · Security
Void assigned T4046: Social Profile allows admins to change other user's email addresses to Paladox.
Jan 24 2019, 03:50 · Security
Void created T4046: Social Profile allows admins to change other user's email addresses.
Jan 24 2019, 03:36 · Security

Jan 14 2019

MacFan4000 updated subscribers of T4005: Execute external commands on MediaWiki servers inside sandboxes.
Jan 14 2019, 18:40 · Operations, Security, MediaWiki
Southparkfan added a subtask for T4005: Execute external commands on MediaWiki servers inside sandboxes: T4004: Replace exec statements with Shell::command (MediaWiki's Shell Framework).
Jan 14 2019, 17:50 · Operations, Security, MediaWiki
Southparkfan triaged T4005: Execute external commands on MediaWiki servers inside sandboxes as Normal priority.
Jan 14 2019, 17:50 · Operations, Security, MediaWiki

Jan 3 2019

Paladox closed T3955: Extension:Maps refuses to load map tiles because of Content Security Policy directive as Resolved by committing Unknown Object (Diffusion Commit).
Jan 3 2019, 03:49 · Extensions

Jan 2 2019

Oxocero created T3955: Extension:Maps refuses to load map tiles because of Content Security Policy directive.
Jan 2 2019, 23:09 · Extensions

Dec 19 2018

ZelDelet created T3905: We had a small attack of vandalism.
Dec 19 2018, 08:54

Dec 14 2018

MacFan4000 merged task T3888: Section headers are broken on all wikis (Mobile Version) into T3751: Page renders strangely on Mobile View.
Dec 14 2018, 11:35
Ahmsaqib created T3888: Section headers are broken on all wikis (Mobile Version).
Dec 14 2018, 09:45

Dec 4 2018

Paladox closed T3862: Increase minimum length passwords from 1 to at least 6? as Resolved.
Dec 4 2018, 16:48 · MacFan4000, Configuration, Security
MacFan4000 claimed T3862: Increase minimum length passwords from 1 to at least 6?.

https://github.com/miraheze/mw-config/pull/2571

Dec 4 2018, 15:26 · MacFan4000, Configuration, Security
Paladox changed the edit policy for T3862: Increase minimum length passwords from 1 to at least 6?.
Dec 4 2018, 01:03 · MacFan4000, Configuration, Security
Herald added a project to T3862: Increase minimum length passwords from 1 to at least 6?: MacFan4000.

https://www.mediawiki.org/wiki/Manual:$wgPasswordPolicy

Dec 4 2018, 00:54 · MacFan4000, Configuration, Security
Paladox created T3862: Increase minimum length passwords from 1 to at least 6?.
Dec 4 2018, 00:30 · MacFan4000, Configuration, Security

Oct 28 2018

Paladox added a comment to T3739: Permissions settings do not longer seem to be effective.

Hi, you probaly want to change https://christipedia.miraheze.org/wiki/Speciaal:ManageWikiPermissions/* since User only affects logged in users where as * affects annons.

Oct 28 2018, 09:35 · MacFan4000
Reception123 updated subscribers of T3739: Permissions settings do not longer seem to be effective.
Oct 28 2018, 08:15 · MacFan4000
Kees_Langeveld created T3739: Permissions settings do not longer seem to be effective.
Oct 28 2018, 06:18 · MacFan4000

Oct 18 2018

Paladox closed T3712: logo karmel.miraheze as Resolved.
Oct 18 2018, 21:10 · Configuration
Paladox added a comment to T3712: logo karmel.miraheze.

You can do that here https://karmel.miraheze.org/wiki/Especial:ManageWikiSettings (setting the logo)

Oct 18 2018, 21:07 · Configuration
Penarc1 added a comment to T3712: logo karmel.miraheze.

https://karmel.miraheze.org/wiki/Archivo:Wiki.png

Oct 18 2018, 20:45 · Configuration
Penarc1 created T3712: logo karmel.miraheze.
Oct 18 2018, 20:43 · Configuration

Aug 27 2018

CnocBride added a watcher for Security: CnocBride.
Aug 27 2018, 09:14
John closed T3520: Personal and sensitive information being sent third party by a community as Resolved.
Aug 27 2018, 01:56 · MediaWiki, Security
John added a comment to T3520: Personal and sensitive information being sent third party by a community.

https://meta.miraheze.org/wiki/2018-08-26_Security_Disclosure

Aug 27 2018, 01:55 · MediaWiki, Security
John updated the task description for T3520: Personal and sensitive information being sent third party by a community.
Aug 27 2018, 00:13 · MediaWiki, Security

Aug 26 2018

John updated the task description for T3520: Personal and sensitive information being sent third party by a community.
Aug 26 2018, 23:11 · MediaWiki, Security
Void added a comment to T3520: Personal and sensitive information being sent third party by a community.
  1. OS is done.
  2. Warning is going anyway.
  3. List should possibly be here.
Aug 26 2018, 22:55 · MediaWiki, Security
John added a comment to T3520: Personal and sensitive information being sent third party by a community.

Some comments.

  1. Script removal should be done by oversighters (so that local admins cannot restore).

Has been done, don't worry :)

  1. One of the problems is that the guy who made the script has been inactive for months (see this). I'm not sure whether anyone can make a contact.

They'll get an email if they have one. Else, I'm sure others will react anyway.

  1. Also, at least one of the admins there hosts multiple wikis; those wikis should also be investigated (I'll send a list on CVT channel if necessary).

Please do!

Aug 26 2018, 22:55 · MediaWiki, Security