Page MenuHomePhabricator

Password Reset interface @ diff.wikimedia.org is insecure
Closed, ResolvedPublicSecurity

Description

As seen in the screenshot, this page is loading something insecure.

I think it is these HTML stuff, but not sure.

<link rel="icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=32" sizes="32x32">
<link rel="icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=192" sizes="192x192">
<link rel="apple-touch-icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=180">
<meta name="msapplication-TileImage" content="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=270">

Details

Author Affiliation
Wikimedia Communities

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
revi moved this task from Incoming to Radar on the User-revi board.

It might not be just password reset: I see insecure content warning on everywhere in wp-admin.php, but not on the actual blog.

wp-admin.phpreader area

Hey @revi would you mind checking again? I think @CKoerner_WMF resolved these this morning.

sbassett claimed this task.
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a subscriber: sbassett.

This looks to be fixed as far as I can tell. Resolving for now.

sbassett reopened this task as Open.EditedJul 20 2020, 3:45 PM
sbassett raised the priority of this task from Low to Medium.
sbassett moved this task from Our Part Is Done to Watching on the Security-Team board.
sbassett added subscribers: Qgil, CKoerner_WMF.

Well, missingpadlock.com is still listing 23 passive mixed content issues :/ I'll re-open/triage this and add some folks.

Paste of passive mixed content: P11965

There was a configuration that was set for the first few days of Diff where images weren't being loaded over http. That's fixed now, so going forward it shouldn't be an issue. I fixed as many issues as I could.

@CKoerner_WMF If you run the site through missingpadlock.com it reports 11 passive mixed content issues (all look like images loaded via http). That should be pretty quick to fix I would think.

Also looks like 119 broken links but that's more of a content issue than a security issue.

I still see a few left, on some really old posts... Looks like there is some thumbnail/lightbox function that was maybe removed? I would just delete those links altogether. That content is pretty long in the tooth.

I don't think I let the scan run to completion before claiming they were all taken care of. I updated the pages @JFishback_WMF mentioned and re-ran a scan.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".