Jump to content

Topic on Extension talk:WikiForum

Will the security issues be addressed?

3
SungHerSong (talkcontribs)

I really like this extension and would like to re-add it to my project to re-create our original wiki's forums (Wetpaint/Wikifoundry hosted) which in many ways acted as our original talk pages.

Is anybody planning to resolve the security issues? Or should I start considering other options?

Jack Phoenix (talkcontribs)

I posted a patch for testing on the currently non-public Phabricator ticket about a couple weeks ago. Nobody's commented on it so far, so if no-one comments on it and points out obvious issues (not that I saw any, but it's been a while since I actually worked on it), I'll probably just commit it and +2 it myself by the end of the year or so.

That said, the issues aren't really that big. An actual security engineer told me once that CSRF issues aren't much of a big deal with modern browsers anymore and the "XSS" possibility is basically "some messages accept raw HTML (but they probably shouldn't)" ā€” problematic if and when you don't trust the people with the wikiforum-admin user right, but if you do trust the users with that right, then it's unlikely to be an issue. Really, it's like with the editinterface user right in general: be careful about who you hand it out to and you'll be fine.

Pspviwki (talkcontribs)

I would really like to install a forum but any security issue is a show-stopper. As a developer you can do your own penetration testing on your installation using zaproxy https://www.zaproxy.org/

Response from Phabricator may take a few years, they have limited capacity.

Reply to "Will the security issues be addressed?"