I was sort of surprised to learn today that Mediawiki software has had 37 security holes identified:
http://akahele.org/2009/09/false-sense-of-security/
Are most of these patched now, or are they still open? If still open, is the Foundation making site & user security more of a priority in 2010?
On Tue, Sep 15, 2009 at 10:38 AM, Gregory Kohs thekohser@gmail.com wrote:
I was sort of surprised to learn today that Mediawiki software has had 37 security holes identified:
http://akahele.org/2009/09/false-sense-of-security/
Are most of these patched now, or are they still open? If still open, is the Foundation making site & user security more of a priority in 2010?
From the report:
"Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
MediaWiki's current stable version is 1.15.1, which has been out for 2 months now. En.wikipedia.org is running on 1.16alpha.
There being security holes in software is a given. Them being there negligently is an issue. But them being there is not. Holes in software which is years old is not news - the newer versions have been patched, appropriately and responsibly.
Are there issues with current MW? Sure. 26 open issues a la the raw report above? No. That's an accumulation of issues in older versions, which are either all or nearly all patched now.
MediaWiki is not felt by the wider open source or security communities to be a particularly bad (or super strong) open source product. The programming team is, however, very responsive to security issues... as one has to be if one is running a top-10 internet site, because anyone who can hack it will just for the cred.
This is not a nonissue - any open source dev team and any large website ops team have to be focused on this as one of many high priorities - but it's not a huge gotcha. It's not new, it's not big news, and it's not suprising. Security holes (regretfully and unfortunately) happen. Security is keeping up to date and fixing them when they are discovered.
Hello Gregory,
I was sort of surprised to learn today that Mediawiki software has had 37 security holes identified:
Why would you be surprised? It is web software, that allows _most_ flexibility for its users, you can expect most problems because of that, especially in XSS area. On the other hand, most of those identified vulnerabilities are ones published about _after_ they get fixed and releases delivered.
You should probably ask about actual vulnerabilities in other mailing lists, but it would be even better, if you did some basic research first. Posting walls of text to your blog and redirecting people there isn't constructive.
And by the way, our site security is getting better and better, once upon a time anyone could edit.
Domas
2009/9/15 Gregory Kohs thekohser@gmail.com:
I was sort of surprised to learn today that Mediawiki software has had 37 security holes identified:
http://akahele.org/2009/09/false-sense-of-security/
Are most of these patched now, or are they still open? If still open, is the Foundation making site & user security more of a priority in 2010?
The most recent one (the only 2009 notice) which that blog links to is explicitly resolved;
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0737 http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083...
Note that it was entered into the database on 25 February, two weeks after solution and marked as not affecting the most recent release version on the same day. Skimming down the list, it looks like most of them are in the same boat -
CVE-2008-5688: "MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExceptionDetails variable is enabled..."
CVE-2008-5687: "MediaWiki 1.11, and other versions before 1.13.3, does not properly protect against the download of backups of deleted images..."
The database appears to record *known* problems in all versions of the software, rather than just "open problems". I haven't checked each one, but all the recent ones look solved, so I think we're safe - at least, safe from the problems we know about, which is always the important caveat!
wikimedia-l@lists.wikimedia.org