Musikanimal, that sounds like a good suggestion to add to Phabricator.
I hope that there is way that these suggestions are being tracked but I
don't see a public task for this on the Security workboard, possibly to
avoid announcing vulnerabilities in public until they have been assessed.
Unless someone here has advice to the contrary, I think that going to
Phabricator and submitting a new security bug, which will be nonpublic by
default, would be a reasonable option.
Pine
(
)
On Fri, Mar 16, 2018 at 10:33 AM, Leon Ziemba <musikanimal(a)wikimedia.org>
wrote:
Sorry to slightly sidetrack this discussion, but
someone recently asked me
if it were possible to modify a steward's user JS so that it granted them
advanced rights like steward/checkuser/oversight. This of course is
possible, but very rare since you need to be a sysop to edit these JS
pages. The point this person was making to me however was that on smaller
wikis it can be easy to become a sysop, and it's probable that by nature
stewards will show up there occasionally, and that their own personal JS
may not be closely watched. I told them not to worry about it, but if we
really wanted to do something, we could make a steward's JS only be mutable
by other stewards (or something).
Maybe something else to think about?
~Leon
On Thu, Mar 15, 2018 at 5:46 PM, Eran Rosenthal <eranroz89(a)gmail.com>
wrote:
Lego already did a script to verify no external
resources are loaded:
https://phabricator.wikimedia.org/T71519
I think there is a Jenkins job running it on regular basis
On Thu, Mar 15, 2018 at 6:30 AM, MZMcBride <z(a)mzmcbride.com> wrote:
David Gerard wrote:
What ways are there to include user-edited
JavaScript in a wiki page?
[...]
You can't see it now, but it was someone including a JavaScript
cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is
closely watched. (The above edit was reverted in 7 minutes, and the
user banned.)
But what are the ways to get user-edited JavaScript running on a
MediaWiki, outside one's own personal usage? And what permissions are
needed? I ask with threats like this in mind.
There's an old post of mine that documents some of the ways to inject
site-wide JavaScript:
<https://lists.wikimedia.org/pipermail/wikimedia-l/2014-
August/073787.html
I believe, as Brian notes in this thread, that most methods require
having
the "editinterface" user right so that
you can edit wiki pages in the
"MediaWiki" namespace. By default, this user right is assigned to the
"sysop" user group, but if you search through
<https://noc.wikimedia.org/conf/InitialiseSettings.php.txt> for the
string
> "editinterface", you can see that on specific wikis such as fawiki,
this
user
right has been assigned to additional user groups.
Jon Robson wrote:
>It has always made me a little uneasy that there are wiki pages where
>JavaScript could potentially be injected into my page without my
approval.
>To be honest if I had the option I would
disable all site and user
scripts
> >for my account.
>
> You could file a Phabricator task about this. We already specifically
> exempt certain pages, such as Special:UserLogin and
Special:Preferences,
from
injecting custom JavaScript. We could potentially add a user
preference to do what you're suggesting.
That said, you're currently executing thousands upon thousands of lines
of
code on your computer that you've never read
or verified. If you're a
standard computer user, you visit hundreds of Web sites per year that
each
> execute thousands of lines of untrusted scripts that you've never read
or
> verified. Of all the places you're
likely to run into trouble,
Wikimedia
> wikis are, in many ways, some of the safest.
Given all of this code,
your
> computer, as well as mine, are vulnerable to
dozens of very real
attacks
> at any time. And yet we soldier on without
too much panic or worry.
>
> >Has this sort of thing happened before?
>
>
Salon.com recently prompted users with ad blocking software installed
to
voluntarily mine cryptocurrency: <https://arstechnica.com/?p=1259653>.
This situation on
fa.wikipedia.org was obviously involuntary. I don't
know
of any similar incidents. We have had wiki
administrators inadvertently
inject scripts with privacy issues, such as Google Analytics. These
scripts have generally been promptly removed when noticed. On the other
hand, pages such as <https://status.wikimedia.org/> have been loading
the
same problematic scripts (Google Analytics and
JavaScript from
ajax.googleapis.com) for years and nobody seems to have cared enough
yet.
>Can we be sure there isn't a gadget, interface page that has this sort
of
> >code lurking inside? Do we have any detection measures in place?
>
> A much surer bet is that at least some gadgets and other site-wide
> JavaScript have privacy issues and potentially security issues. It
would
> be shocking if, across the hundreds of
Wikimedia wikis, none of them
did.
>
> I think in the past Timo and maybe Alex Monk have done some surveying
of
> public Wikimedia wikis using a browser or
browser emulator to check if
> there are network requests being made to non-Wikimedia domains. As
Lucas
> noted in this thread already, there are also
tasks such as
> <https://phabricator.wikimedia.org/T135963> that could be worked on,
if
there's sufficient interest.
MZMcBride
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l