This has been addressed on foundation-l already, but I'll make it extra clear here: all these vulnerabilities reported by these database are only in there because we discovered, fixed and reported them first. The affected versions of MediaWiki range from old to stone-age.

http://akahele.org/2009/09/false-sense-of-security/

Compare to WordPress, where if you don't keep up-to-date you can get your server taken over and used to send spam (this has been happening recently, I've heard). Not only is that worse for you, it's much more profitable for attackers, so you're likely to see more widespread automatic exploitation. I haven't heard of widespread exploitation of any MW security vulnerability, although it's possible it's happened.

There are. You didn't want us to describe them in our article, did you?

On Tue, Sep 15, 2009 at 7:17 PM, Andrew Garrett <agarrett(a)wikimedia.org>wrote;wrote: If you want to offer some sort of bounty program, then maybe.  Otherwise, no thanks. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

On Tue, Sep 15, 2009 at 7:33 PM, Chad <innocentkiller(a)gmail.com> wrote: I'm not sure where you got the statistics for that statement, but hey, you should publicize it.  "Mediawiki - more than half of discovered vulnerabilities are fixed!"

On Tue, Sep 15, 2009 at 4:40 PM, Anthony <wikimail(a)inbox.org> wrote: you Anthony, that was uncalled for. Nobody has suggested that identified bugs aren't fixed.

Nobody has suggested that reported bugs aren't fixed.

aware of, but if you claim to have any interest in the Wikimedia / Wikipedia communities you should have a moral responsibility to do so.

offer bug bounties - that's normal. Asking open source developers for bounties is not moral or ethical - there's no fee for using the software, why ask for a fee for helping improve it by reporting bugs?

should just drop off the project membership emails and find something else to do - someone sitting here on these lists taunting "I know about bugs that you don't", if persistent, would be a gross violation of etiquette.

On Tue, Sep 15, 2009 at 7:33 PM, Chad <innocentkiller(a)gmail.com> wrote: I'm not sure where you got the statistics for that statement, but hey, you should publicize it.  "Mediawiki - more than half of discovered vulnerabilities are fixed!" _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

On Tue, Sep 15, 2009 at 7:17 PM, Andrew Garrett <agarrett(a)wikimedia.org>wrote;wrote: If you want to offer some sort of bounty program, then maybe.  Otherwise, no thanks.

On Tue, Sep 15, 2009 at 6:40 PM, Anthony <wikimail(a)inbox.org> wrote: All nontrivial software has unknown security vulnerabilities.

It should be noted, though, that actual demonstrated risk is probably more important to users than theoretical patch response times. For whatever reason, attacks on MediaWiki seem to be comparatively rare.

I would be interested in hearing of any real-world attacks anyone knows of -- there must have been *some*, but I've never heard of one.

On Wed, Sep 16, 2009 at 11:29 AM, Anthony <wikimail(a)inbox.org> wrote: That shouldn't work if MediaWiki is configured with a correct list of trusted proxies.

We were checking $_SERVER['X_FORWARDED_FOR'], which reads the X- Forwarded-For header. Unfortunately, it could be overridden by sending an X_Forwarded_For header. We resolved it by using the apache-specific header retrieval functions instead of PHP's broken internal implementation.

 On Tue, Sep 15, 2009 at 1:38 PM, Gregory Kohs &lt;thekohser(a)gmail.com&gt; wrote: My favorite part of that article: "Even the open source MediaWiki software has more than its fair share of security vulnerabilities."  As written, this suggests that there are unpatched security vulnerabilities; I can only assume the author meant that the software has _had_ more than its share of vulnerabilities.  Even still, that seems like a made-up claim: I suspect that a quantitative study would show that MediaWiki has actually had fewer security vulnerabilities than comparable software (and that's not even counting the disparity in severity/exploitability that Aryeh notes). WordPress, for instane, has 183 entries on the NVD; phpBB has 240. (Analysis using the NVD is somewhat unfair, since it seems to make no distinction between the core software and extensions or derivatives.  It's also unclear how comprehensive the NVD is, given that they don't have an entry for the XSS vulnerability Aryeh mentioned.) Beyond that, I think the article misses the point of open source as regards security.  Open source development doesn't automatically prevent holes from appearing (though it can, since code will have more eyes on it before it's deployed); it makes it easier to identify and patch them.  Of course, it would be difficult to compare the number of vulnerabilities in open-source software to that in closed-source software, since open-source software developers usually try to publicize vulnerabilities as much as possible, while closed-source software developers usually want to avoid disclosing vulnerabilities.  On Tue, Sep 15, 2009 at 5:12 PM, Aryeh Gregor < Simetrical+wikilist(a)gmail.com &lt;Simetrical%2Bwikilist(a)gmail.com&gt;&gt; wrote: I haven't even heard of _isolated_ exploitation of MediaWiki security holes, let alone anything widespread.  Aren't most MW vulnerabilities discovered through audits, code review, or third-party reporting, rather than demonstrated exploitation? _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l