On Tue, Sep 15, 2009 at 2:21 PM, Roan Kattouw <roan.kattouw(a)gmail.com> wrote:
This has been addressed on foundation-l already, but
I'll make it
extra clear here: all these vulnerabilities reported by these database
are only in there because we discovered, fixed and reported them
first. The affected versions of MediaWiki range from old to stone-age.
That's not quite fair. We had a Special:Block XSS problem just two months ago:
https://bugzilla.wikimedia.org/show_bug.cgi?id=19693
XSS is our major problem, as with most web apps. It's hard to defend
against comprehensively. Unlike some other web apps, we have almost
no SQL injections, and MediaWiki XSS is typically impossible to
elevate to arbitrary server-side code execution. So MediaWiki's
security is pretty good but not perfect. Compare to WordPress, where
if you don't keep up-to-date you can get your server taken over and
used to send spam (this has been happening recently, I've heard). Not
only is that worse for you, it's much more profitable for attackers,
so you're likely to see more widespread automatic exploitation. I
haven't heard of widespread exploitation of any MW security
vulnerability, although it's possible it's happened. Fairly
high-profile wikis like
wikileaks.org are running extremely outdated
software with multiple known vulnerabilities and seem not to have been
hacked. (In the case of Wikileaks, it seems to be based on something
around 1.9 or 1.10, although maybe they manually patched the known
unpatched XSS in those.)
The most promising systematic XSS mitigation for the future looks to
be client-side. Newer browsers are beginning to automatically try
detecting whether HTML from GET parameters is being injected, and stop
it if so. At least Chrome and IE have or are introducing something of
this nature, IIRC. Mozilla's CSP is a more comprehensive way to
address XSS, but much more difficult to use as well. It will be
interesting to see if XSS eventually becomes a minor issue, but for
now it's very hard for any big web app *not* to have some XSS
vulnerabilities. You can only patch them as fast as possible when
reported.