On 8/2/07, David Gerard dgerard@gmail.com wrote:
On 02/08/07, Nicholas Moreau nicholasmoreau@gmail.com wrote:
Does the MediaWiki software, or any independently-running 'bots, look for code placed into pages of the Foundation projects? This article claims that we're a security risk... http://www.itworldcanada.com/a/News/036ff0b8-a384-4019-944c-bf09be58eec5.htm...
Rubbish. I've commented accordingly.
Only mostly rubbish:
People can, and have, externally linked to malicious software from our sites.
Of course, that can happen anywhere on the net and users (and their browser software) should be smart enough not to execute such code, but Wikipedia looks rather respectable so people may be more inclined to bypass security measures based on something on our site.
At the moment there are 209 external links to .exe files from the main namespace of English Wikipedia.
I don't think we should worry about malicious software specifically. Instead view any external link to malicious code as part of the larger problem of weak oversight of external links.
A while back I ran clamav against all 'executable' looking external links and found one nasty file. It would be really nice if the mechanism that updates externalinks table spat out a running log of external link additions and removals that we could hook an ongoing scanner into.
It's also possible to rename malicious content as one of our accepted formats for upload and upload it. If you client will execute an 'exe' renamed to 'ogg' and sent with the Ogg mime type your client is broken, but broken clients do exist. I do not recall ever seeing an example of something malicious distributed that way on our sites.