It has always made me a little uneasy that there are wiki pages where
JavaScript could potentially be injected into my page without my approval.
To be honest if I had the option I would disable all site and user scripts
for my account.
Has this sort of thing happened before?
Can we be sure there isn't a gadget, interface page that has this sort of
code lurking inside? Do we have any detection measures in place?
Even if every edit to these pages is watched I suspect it would be very
easy for the same attack to be done in a more sophisticated way e.g.
disguising the code as a base64 image for example
On Wed, 14 Mar 2018 at 07:42 Brian Wolff <bawolff(a)gmail.com> wrote:
On Wednesday, March 14, 2018, David Gerard
<dgerard(a)gmail.com> wrote:
What ways are there to include user-edited
JavaScript in a wiki page?
I ask because someone put this revision in (which is now deleted):
https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%D…
You can't see it now, but it was someone including a JavaScript
cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is
closely watched. (The above edit was reverted in 7 minutes, and the
user banned.)
But what are the ways to get user-edited JavaScript running on a
MediaWiki, outside one's own personal usage? And what permissions are
needed? I ask with threats like this in mind.
- d.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
You need editinterface, edituserjs, or some of the centralnotice related
rights (or the steward related rights to give yourself these rights).
Any method that does not involve editinterface or a related right that is
normally restricted to administrator (or higher group) should be considered
a serious security issue in mediawiki and reported immediately.
--
Brian Wolff
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l