Page MenuHomeMiraheze

SecurityPolicy
ActivePublic

Members (8)

Watchers (5)

Details

Description

The members of this project have access to security-sensitive tasks.

Do NOT add unauthorized members!

Recent Activity

Yesterday

Southparkfan added a member for Security: Zppix.
Tue, Oct 15, 15:31

Sep 10 2019

Reception123 added a member for Security: RhinosF1.
Sep 10 2019, 16:43

Sep 4 2019

John changed the visibility for T4695: Upgrade varnish due to security alert.
Sep 4 2019, 12:58 · Operations, Security
John closed T4695: Upgrade varnish due to security alert as Invalid.
Sep 4 2019, 12:58 · Operations, Security
Paladox added a comment to T4695: Upgrade varnish due to security alert.

The bug does not affect us.

Sep 4 2019, 11:39 · Operations, Security
Reception123 shifted T4695: Upgrade varnish due to security alert from the Restricted Space space to the S1 Public space.
Sep 4 2019, 06:41 · Operations, Security
Reception123 shifted T4695: Upgrade varnish due to security alert from the S1 Public space to the Restricted Space space.
Sep 4 2019, 06:18 · Operations, Security
RhinosF1 created T4695: Upgrade varnish due to security alert.
Sep 4 2019, 06:13 · Operations, Security

Aug 27 2019

John changed the visibility for T4613: RequestWiki shows viewers IP instead of merged account name .
Aug 27 2019, 21:21 · CreateWiki, Security
John closed T4613: RequestWiki shows viewers IP instead of merged account name as Invalid.

Not a security issue. Behaviour has been fixed in 1.34 I believe now.

Aug 27 2019, 21:21 · CreateWiki, Security

Aug 7 2019

RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

Actually, looks like the other person involved was on enwp 1 day ago so I might be able to drop them an email.

Aug 7 2019, 19:14 · CreateWiki, Security
RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

Actually, looks like the other person involved was on enwp 1 day ago so I might be able to drop them an email.

Aug 7 2019, 18:14 · CreateWiki, Security
RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

Just an update: The IRC log with the fix on no longer exists (me and Bawolff don't have it and the other person involved hasn't been seen in a long while).

Aug 7 2019, 18:13 · CreateWiki, Security
Reception123 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

I will agree with John that this is not a security issue, since only the viewers IP is shown, but also agree that to be safe we should keep it like this for the time being.

Aug 7 2019, 16:32 · CreateWiki, Security

Aug 5 2019

RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

I found https://phabricator.wikimedia.org/T219429 which was what Bawolff thought the issue was back then with another wiki.

Aug 5 2019, 19:49 · CreateWiki, Security
John added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .
In T4613#87651, @John wrote:

Also I don’t believe it’s realistically a security issue (that’s my opinion)

It’s borderline but we don’t know the full impact so Paladox said do so as a precaution but I’ll give you my definite opinion once I have time to review my records.

Aug 5 2019, 19:17 · CreateWiki, Security
RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

If I Remember rightly it's either a script or some SQL that repaired the issue on this wiki

Aug 5 2019, 19:11 · CreateWiki, Security
RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .
In T4613#87651, @John wrote:

MediaWiki has atrocious handling of non existent accounts - makes a lot of sense but I feel like this should be an upstream issue to be addressed.

I think there might be a task for it upstream - I’m going to search my records for the information later

Also I don’t believe it’s realistically a security issue (that’s my opinion)

It’s borderline but we don’t know the full impact so Paladox said do so as a precaution but I’ll give you my definite opinion once I have time to review my records.

Aug 5 2019, 19:10 · CreateWiki, Security
John added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

MediaWiki has atrocious handling of non existent accounts - makes a lot of sense but I feel like this should be an upstream issue to be addressed.

Aug 5 2019, 19:04 · CreateWiki, Security
RhinosF1 added a comment to T4613: RequestWiki shows viewers IP instead of merged account name .

I had an issue on another wiki where accounts that had been removed from the DB showed the viewers IP and a fix was given by Brian Wolff from Wikimedia Security - I’ll see if I can dig the information up later today if no one can grab him before then

Aug 5 2019, 18:55 · CreateWiki, Security
RhinosF1 created T4613: RequestWiki shows viewers IP instead of merged account name .
Aug 5 2019, 18:53 · CreateWiki, Security

Aug 4 2019

RhinosF1 added a project to T4610: Extension for User Name requested: Security.

Adding Security due to issues with UserFunction

Aug 4 2019, 17:58 · Extensions, Configuration

Jul 12 2019

John claimed T4468: Verify if PageDisqus has reflective XSS.
Jul 12 2019, 14:06 · Security, Extension-Review
John closed T4468: Verify if PageDisqus has reflective XSS as Invalid.

No XSS.

Jul 12 2019, 14:05 · Security, Extension-Review

Jul 4 2019

AmandaCath added a comment to T4196: stunnel not verifying backend certificates?.

Obviously just seeing this now... @NDKilla one of the conditions in my Herald rule is to automatically add my project tag to any task that is UBN priority.

Jul 4 2019, 00:24 · Security

Jul 3 2019

Southparkfan changed the visibility for T4196: stunnel not verifying backend certificates?.
Jul 3 2019, 23:26 · Security
Southparkfan closed T4196: stunnel not verifying backend certificates? as Declined.

Non-existent issue.

Jul 3 2019, 18:31 · Security

Jun 13 2019

Southparkfan created T4468: Verify if PageDisqus has reflective XSS.
Jun 13 2019, 22:31 · Security, Extension-Review

May 24 2019

John added a project to T4415: Possible vulnerability of Special:IncidentReports: IncidentReporting.
May 24 2019, 14:58 · IncidentReporting, Security
John closed T4415: Possible vulnerability of Special:IncidentReports as Resolved.

Thank you for your reasonable disclosure.

May 24 2019, 14:58 · IncidentReporting, Security
Paladox updated subscribers of T4415: Possible vulnerability of Special:IncidentReports.

I have a fix, but before i deploy it i would like to speak to @John about restricting access to IR to only people who need to write reports.

May 24 2019, 12:10 · IncidentReporting, Security
Paladox added a comment to T4415: Possible vulnerability of Special:IncidentReports.

2019-05-24 12:01:42 mw1 metawiki: [c564b622472bcff6f0f3ece4] /wiki/Special:IncidentReports/15/edit Error from line 56 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: Call to a member function getId() on boolean

May 24 2019, 12:02 · IncidentReporting, Security
Paladox added a comment to T4415: Possible vulnerability of Special:IncidentReports.

2019-05-24 10:23:21 mw1 metawiki: [9b27a4ecb41a43dbbd47bf8b] /wiki/Special:IncidentReports/11/edit ErrorException from line 641 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: PHP Notice: A non well formed numeric value encountered

May 24 2019, 11:39 · IncidentReporting, Security
The_Pioneer created T4415: Possible vulnerability of Special:IncidentReports.
May 24 2019, 11:17 · IncidentReporting, Security

May 23 2019

Southparkfan removed a member for Security: MacFan4000.
May 23 2019, 22:45

May 20 2019

John added a comment to T4005: Execute external commands on MediaWiki servers inside sandboxes.

It’s a task related to security but not exploitable because we review all extensions to minimise all risks

May 20 2019, 18:11 · Operations, Security, MediaWiki
AmandaCath added a comment to T4005: Execute external commands on MediaWiki servers inside sandboxes.

Why do we have a task flagged as a security issue that is public? Should the tag be removed, or should this task be hidden?

May 20 2019, 17:53 · Operations, Security, MediaWiki

May 14 2019

John closed T4004: Replace exec statements with Shell::command (MediaWiki's Shell Framework), a subtask of T4005: Execute external commands on MediaWiki servers inside sandboxes, as Resolved.
May 14 2019, 22:10 · Operations, Security, MediaWiki

May 11 2019

John changed the edit policy for T4358: Wiki owner/crat can gain oversight access.
May 11 2019, 10:18 · Security
John closed T4358: Wiki owner/crat can gain oversight access as Resolved.

Thank you for bringing this to our attention responsibly. The issue has now been fixed with https://github.com/miraheze/mw-config/commit/c934d439fa13624148b5c7e4570fabb097a73919.

May 11 2019, 10:18 · Security
Bonnedav created T4358: Wiki owner/crat can gain oversight access.
May 11 2019, 09:18 · Security

May 1 2019

John changed the edit policy for T4306: DiscordNotifications publishes items from the suppressionlog.
May 1 2019, 00:53 · Upstream, Security
John closed T4306: DiscordNotifications publishes items from the suppressionlog as Resolved.
May 1 2019, 00:48 · Upstream, Security

Apr 26 2019

John closed T4322: Enable Support for TLSv1.3 as Resolved.

In theory we do. Task enquires no action, will be resolved automatically with time.

Apr 26 2019, 21:02 · Operations, MacFan4000
Paladox added a comment to T4322: Enable Support for TLSv1.3.

Yup, hence " (but it's not used due to the openssl version we have)." :)

Apr 26 2019, 18:14 · Operations, MacFan4000
MacFan4000 changed the edit policy for T4322: Enable Support for TLSv1.3.
Apr 26 2019, 18:10 · Operations, MacFan4000
MacFan4000 added a comment to T4322: Enable Support for TLSv1.3.

When I ran an SSL check it said that 1.3 wasn’t supported.

Apr 26 2019, 18:09 · Operations, MacFan4000
Paladox added a comment to T4322: Enable Support for TLSv1.3.

^^, secondly we have enabled tls 1.3 in nginx (but it's not used due to the openssl version we have).

Apr 26 2019, 17:50 · Operations, MacFan4000
Southparkfan added a comment to T4322: Enable Support for TLSv1.3.

Why is this a private task?

Apr 26 2019, 16:57 · Operations, MacFan4000
MacFan4000 updated subscribers of T4322: Enable Support for TLSv1.3.
Apr 26 2019, 16:26 · Operations, MacFan4000