[MediaWiki-l] Security warning for SimpleSecurity extension.

Brian Wolff bwolff at wikimedia.org
Wed Jul 19 03:45:27 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Everyone.

This is an advisory that the SimpleSecurity extension has unfixed
security issues, and that people relying on it should consider moving
to a different solution.

The extension does not take caching into consideration, and is not
secure when $wgMainCacheType is something other than CACHE_NONE. We
received a bug report about this quite a long time ago, however it
appears nobody is maintaining the extension, and we were unable to
find anyone to forward the report to who was interested in fixing
the issue. So instead we are making the issue public and issuing
this warning about it.

The issue in question is https://phabricator.wikimedia.org/T48843
The extension in question is
https://www.mediawiki.org/wiki/Extension:SimpleSecurity

Sincerely,

Brian Wolff
Wikimedia Security Team

P.S. This is the first time I've ever written a warning like this
for an extension. In the past, we've just put security alerts on
the extension page or sometimes just ignored them (which I consider bad).
I would like feedback from mediawiki-l if people on this list appreciate
getting a notice like this, or if you folks consider it off topic.
Any other feedback about how we handle security issues reported to
us for extensions we do not make or maintain is also appreciated.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJZbtGsAAoJEDYflDsVwI3UGHIQAIWbmd1+xvbnCXLEV1gq1ZMm
3aAANm1SX8jbhanY93a28YnUyFULCuehlzrXTonZBvPy59W8GbOB5qW4Px1CHzRJ
hPewsxTObfnxEW5+JzSH9o4ApZgAjgGvBZP0fQTRgmZdiWGj+HM9m0vmP90lodzM
aCein3yneJVapNo2aONiQp1rVELJTWKqlRt0Wuraa8fUjPKfLydk0mfDfObejMYV
DUBuMWyif51m2EXZV1TisR4P3VzvyF3RNQXX4iKbVj+KOkI6+SLhGzrH/wFL3kE9
bCr5EQa6beRIs7sNCItvd+efFhATqxNZUi8WjDc3reylEKI4FMj+1NMHZYr4Mo7A
jO6KAoAWPUJtHu5v4Cqf2+YTT7zzqndPHZVdkp2PsfNs2ImmDHBCxdDGBfU/WkcA
2dsgnpqUmTeKsYnpwR1rH+/ZFkCGNhHqXRF9JrSYiqzE6K1BzTJo/nHIarEaL/TT
5R0JxP4WErZfBz7Ef7kTkp+hGPovH6Kdu7Fqu08VdgL+BIZomWDYpRmt1IfW5aET
fKUOUK4u84EQkv7Y8ue9RINB4tgodZr2hNXDjQBZVHun4IpNUJDyji136YYe23oe
ngPbwpXzQgJFwOkhzGEgslns1iIxITmc1dl8wuKisajT1XIhflNNOWEG0DlBqKbS
37gjoPxhoDjpIhD9ZgzS
=etRb
-----END PGP SIGNATURE-----



More information about the MediaWiki-l mailing list