Page MenuHomePhabricator
Create Task
Maniphest T258129

Password Reset interface @ diff.wikimedia.org is insecure
Closed, ResolvedPublicSecurity
Actions

Assigned To
JFishback_WMF
Authored By
revi
Jul 16 2020, 5:14 AM
Tags
Referenced Files
F31963272: Screen Shot 2020-08-04 at 12.51.21 PM.png
Aug 4 2020, 5:52 PM
F31952315: Screenshot from 2020-07-28 14-07-34.png
Jul 28 2020, 9:13 PM
F31936804: image.png
Jul 16 2020, 5:23 AM
F31936805: image.png
Jul 16 2020, 5:23 AM
F31936798: image.png
Jul 16 2020, 5:14 AM
Subscribers
Aklapper
CKoerner_WMF
JFishback_WMF
Qgil
revi
sbassett

Description

As seen in the screenshot, this page is loading something insecure.

image.png (1×2 px, 270 KB)

I think it is these HTML stuff, but not sure.

<link rel="icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=32" sizes="32x32">
<link rel="icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=192" sizes="192x192">
<link rel="apple-touch-icon" href="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=180">
<meta name="msapplication-TileImage" content="http://diff.wikimedia.org/wp-content/uploads/2020/07/cropped-1024px-Wikimedia-logo.svg_.png?w=270">

Details

Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

revi created this task.Jul 16 2020, 5:14 AM
Restricted Application added a project: User-revi. · View Herald TranscriptJul 16 2020, 5:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
revi added a project: Diff-blog.Jul 16 2020, 5:14 AM
revi moved this task from Incoming to Radar on the User-revi board.
revi added a comment.Jul 16 2020, 5:23 AM

It might not be just password reset: I see insecure content warning on everywhere in wp-admin.php, but not on the actual blog.

wp-admin.phpreader area
image.png (1×2 px, 342 KB)
image.png (1×2 px, 2 MB)
JFishback_WMF subscribed.Jul 16 2020, 6:57 PM

Hey @revi would you mind checking again? I think @CKoerner_WMF resolved these this morning.

sbassett closed this task as Resolved.Jul 20 2020, 3:31 PM
sbassett claimed this task.
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett subscribed.

This looks to be fixed as far as I can tell. Resolving for now.

sbassett reopened this task as Open.EditedJul 20 2020, 3:45 PM
sbassett raised the priority of this task from Low to Medium.
sbassett moved this task from Our Part Is Done to Watching on the Security-Team board.
sbassett added subscribers: Qgil, CKoerner_WMF.

Well, missingpadlock.com is still listing 23 passive mixed content issues :/ I'll re-open/triage this and add some folks.

Paste of passive mixed content: P11965

CKoerner_WMF added a comment.Jul 24 2020, 8:56 PM

There was a configuration that was set for the first few days of Diff where images weren't being loaded over http. That's fixed now, so going forward it shouldn't be an issue. I fixed as many issues as I could.

JFishback_WMF added a comment.Jul 24 2020, 9:18 PM

@CKoerner_WMF If you run the site through missingpadlock.com it reports 11 passive mixed content issues (all look like images loaded via http). That should be pretty quick to fix I would think.

Also looks like 119 broken links but that's more of a content issue than a security issue.

CKoerner_WMF added a comment.Jul 27 2020, 6:56 PM

I think I have them all now? :)

JFishback_WMF added a comment.Jul 28 2020, 9:13 PM

I still see a few left, on some really old posts... Looks like there is some thumbnail/lightbox function that was maybe removed? I would just delete those links altogether. That content is pretty long in the tooth.

Screenshot from 2020-07-28 14-07-34.png (468×1 px, 90 KB)

sbassett mentioned this in T254628: Security Readiness Review For Diff (diff.wikimedia.org).Jul 29 2020, 4:11 PM
CKoerner_WMF added a comment.Aug 4 2020, 5:52 PM

I don't think I let the scan run to completion before claiming they were all taken care of. I updated the pages @JFishback_WMF mentioned and re-ran a scan.

Screen Shot 2020-08-04 at 12.51.21 PM.png (1×2 px, 964 KB)

CKoerner_WMF moved this task from Backlog to In Progress on the Diff-blog board.Sep 2 2020, 9:17 PM
sbassett reassigned this task from sbassett to JFishback_WMF.Oct 5 2020, 2:05 PM
sbassett edited projects, added Privacy Engineering; removed Security-Team.
JFishback_WMF closed this task as Resolved.Oct 5 2020, 3:14 PM
sbassett moved this task from Incoming to Completed on the Privacy Engineering board.Oct 5 2020, 3:20 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits