Wikimedia Security Team/Check/iSEC Assessment 2014
During December 2014, iSEC Partners performed an audit of MediaWiki and some WMF infrastructure, in an assessment sponsored by the Open Technology Fund.
Full report: https://github.com/iSECPartners/publications/raw/master/reports/iSEC_Wikimedia.pdf
Summary of issues and remediation
| Issue | Severity | Response | Notes |
|---|---|---|---|
| Reflected XSS in api.php (iSEC-WMF1214-8) | High | task T85851 (fixed) | |
| External reference in SVG (iSEC-WMF1214-3) | High | task T85349 (fixed) | |
| Stored XSS in uploaded SVG files (iSEC-WMF1214-11) | Medium | task T85850 (fixed) | |
| Entity expansion in SVG and XMP Metadata (iSEC-WMF1214-13) | Medium | task T85848 (fixed) | |
| Lack of upper limit on password length allows DoS (SEC-WMF1214-1) | Medium | task T64685 (fixed) | |
| External references in downloaded PDF files (iSEC-WMF1214-15) | Medium | task T89744 (fixed publicly in task T89765) | Both issues require the user to both download the PDF file, and open it in a PDF reader with insecure settings. The Javascript execution does not have same-origin access to the wiki, but is limited to local origin. |
| Stored "XSS" in downloaded PDF files (iSEC-WMF1214-14) | Medium | task T89745 (fixed publicly in task T89765) | |
| Custom JavaScript may yield privilege escalation (iSEC-WMF1214-10) | Medium | task T85855 (fixed) | |
| Weak password policy (iSEC-WMF1214-2) | Medium | Passwords RFC, T94774 | We believe this is mitigated slightly on WMF wikis through security awareness for highly privileged accounts, but group-based password policies are being prioritized. |
| Lack of registry lock on domain names (iSEC-WMF1214-5) | Medium | task T85905 (Declined) | Locking is not available for .org domains. |
| Users can inspect each other's personal JavaScript (iSEC-WMF1214-7) | Low | task T85856 | Due to the high user impact and low severity of the issue, this will be addressed publicly, or we may accept the risk. |
| Check User page lacks Cross Site Request Forgery (CSRF) protection (iSEC-WMF1214-6) | Low | task T85858 (fixed) | |
| User access roles are public (iSEC-WMF1214-12) | Info | task T85860 (Declined) | This functionality is critical to community, we accept the risk as a cost for having transparency. |
| RC4 cipher enabled (iSEC-WMF1214-4) | Info | gerrit:178555 (merged) |