I've discovered that this old extension is activated in Wikimini after someone used it to include an iframe with the log out page to troll users.
This extension causes a great security risk and should be disabled ASAP, or at least verified and properly configured.
If disabling, we will have to check its current usage − perhaps we can replace it with better extensions.
include an iframe with the log out page to troll users
Currently the wiki use EOL version 1.28.0 which is prone to T25227: Use token when logging out. In newer versions it is safe to include an iframe with the log out page. (This does not mean XSS is not an issue; it is still a severe issue.)
Yes you're right, this troll in particular will be resolved later. It's
however still active here and moreover the extension does not inspire me
trust at all^^
Hi!
This extension is being used to include both the picture of the day and quote of the day, as you can see here for example:
https://fr.wikimini.org/wiki/Wikimini:Enfants_et_ados?action=edit
As far as I remember, when the extension was installed, it had been configured to only allow html and txt files inclusion, and from the same server (no external sources allowed).
As I see in the code it seems that noesc feature is enabled which is not
a good news :/
Uncontrolled iframes are also bad, even though it is separated from the
current page it permits someone to do bad things on other sites − or
even on Wikimini as we saw.
When recovering access to the server I will check how the quotes /
picture of the day system works, I'm sure that we can change it to a
safe system on the website :-)
@Lorangeo the problem is that allowing HTML is already an issue since it
permits running scripts :/ TXT files are also issue if the extension
does not escape them.