Wikimedia Security Team/Check/iSEC Assessment 2014

Jump to: navigation, search

During December 2014, iSEC Partners performed an audit of MediaWiki and some WMF infrastructure, in an assessment sponsored by the Open Technology Fund.

Full report:

Summary of issues and remediation

Issue Severity Response Notes
Reflected XSS in api.php (iSEC-WMF1214-8) High task T85851 (fixed)
External reference in SVG (iSEC-WMF1214-3) High task T85349 (fixed)
Stored XSS in uploaded SVG files (iSEC-WMF1214-11) Medium task T85850 (fixed)
Entity expansion in SVG and XMP Metadata (iSEC-WMF1214-13) Medium task T85848 (fixed)
Lack of upper limit on password length allows DoS (SEC-WMF1214-1) Medium task T64685 (fixed)
External references in downloaded PDF files (iSEC-WMF1214-15) Medium task T89744 (fixed publicly in task T89765) Both issues require the user to both download the PDF file, and open it in a PDF reader with insecure settings. The Javascript execution does not have same-origin access to the wiki, but is limited to local origin.
Stored "XSS" in downloaded PDF files (iSEC-WMF1214-14) Medium task T89745 (fixed publicly in task T89765)
Custom JavaScript may yield privilege escalation (iSEC-WMF1214-10) Medium task T85855 (fixed)
Weak password policy (iSEC-WMF1214-2) Medium Passwords RFC, T94774 We believe this is mitigated slightly on WMF wikis through security awareness for highly privileged accounts, but group-based password policies are being prioritized.
Lack of registry lock on domain names (iSEC-WMF1214-5) Medium task T85905 (Declined) Locking is not available for .org domains.
Users can inspect each other's personal JavaScript (iSEC-WMF1214-7) Low task T85856 Due to the high user impact and low severity of the issue, this will be addressed publicly, or we may accept the risk.
Check User page lacks Cross Site Request Forgery (CSRF) protection (iSEC-WMF1214-6) Low task T85858 (fixed)
User access roles are public (iSEC-WMF1214-12) Info task T85860 (Declined) This functionality is critical to community, we accept the risk as a cost for having transparency.
RC4 cipher enabled (iSEC-WMF1214-4) Info gerrit:178555 (merged)