[Foundation-l] Security holes in Mediawiki
George Herbert
george.herbert at gmail.com
Tue Sep 15 17:51:09 UTC 2009
On Tue, Sep 15, 2009 at 10:38 AM, Gregory Kohs <thekohser at gmail.com> wrote:
> I was sort of surprised to learn today that Mediawiki software has had 37
> security holes identified:
>
> http://akahele.org/2009/09/false-sense-of-security/
>
> Are most of these patched now, or are they still open? If still open, is
> the Foundation making site & user security more of a priority in 2010?
>From the report:
"Multiple cross-site scripting (XSS) vulnerabilities in the web-based
installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12
before 1.12.4, and 1.13 before 1.13.4, when the installer is in active
use, allow remote attackers to inject arbitrary web script or HTML via
unspecified vectors."
MediaWiki's current stable version is 1.15.1, which has been out for 2
months now. En.wikipedia.org is running on 1.16alpha.
There being security holes in software is a given. Them being there
negligently is an issue. But them being there is not. Holes in
software which is years old is not news - the newer versions have been
patched, appropriately and responsibly.
Are there issues with current MW? Sure. 26 open issues a la the raw
report above? No. That's an accumulation of issues in older
versions, which are either all or nearly all patched now.
MediaWiki is not felt by the wider open source or security communities
to be a particularly bad (or super strong) open source product. The
programming team is, however, very responsive to security issues... as
one has to be if one is running a top-10 internet site, because anyone
who can hack it will just for the cred.
This is not a nonissue - any open source dev team and any large
website ops team have to be focused on this as one of many high
priorities - but it's not a huge gotcha. It's not new, it's not big
news, and it's not suprising. Security holes (regretfully and
unfortunately) happen. Security is keeping up to date and fixing them
when they are discovered.
--
-george william herbert
george.herbert at gmail.com
More information about the wikimedia-l
mailing list