On Tue, Sep 15, 2009 at 2:21 PM, Roan Kattouw roan.kattouw@gmail.com wrote:
This has been addressed on foundation-l already, but I'll make it extra clear here: all these vulnerabilities reported by these database are only in there because we discovered, fixed and reported them first. The affected versions of MediaWiki range from old to stone-age.
That's not quite fair. We had a Special:Block XSS problem just two months ago:
https://bugzilla.wikimedia.org/show_bug.cgi?id=19693
XSS is our major problem, as with most web apps. It's hard to defend against comprehensively. Unlike some other web apps, we have almost no SQL injections, and MediaWiki XSS is typically impossible to elevate to arbitrary server-side code execution. So MediaWiki's security is pretty good but not perfect. Compare to WordPress, where if you don't keep up-to-date you can get your server taken over and used to send spam (this has been happening recently, I've heard). Not only is that worse for you, it's much more profitable for attackers, so you're likely to see more widespread automatic exploitation. I haven't heard of widespread exploitation of any MW security vulnerability, although it's possible it's happened. Fairly high-profile wikis like wikileaks.org are running extremely outdated software with multiple known vulnerabilities and seem not to have been hacked. (In the case of Wikileaks, it seems to be based on something around 1.9 or 1.10, although maybe they manually patched the known unpatched XSS in those.)
The most promising systematic XSS mitigation for the future looks to be client-side. Newer browsers are beginning to automatically try detecting whether HTML from GET parameters is being injected, and stop it if so. At least Chrome and IE have or are introducing something of this nature, IIRC. Mozilla's CSP is a more comprehensive way to address XSS, but much more difficult to use as well. It will be interesting to see if XSS eventually becomes a minor issue, but for now it's very hard for any big web app *not* to have some XSS vulnerabilities. You can only patch them as fast as possible when reported.