Maniphest T85862

Make iSec assessment public
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• csteipp
	Jan 5 2015, 9:27 PM

Tags

Referenced Files

None

Subscribers

Description

Part of the WMF's commitment for having the OTF sponsor the assessment of MediaWiki by iSec Partners was that we will make the report public.

I'd like to do this by mid-feb.

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		• csteipp	T88120 Release MW 1.24.2 and 1.23.9 tarballs
		Resolved		• csteipp	T85862 Make iSec assessment public
		Declined		• csteipp	T85860 User access roles are public
		Resolved		• csteipp	T85858 Check User page lacks CSRF protection
		Resolved		Bawolff	T85856 Add warning to user Javascript files, warning the contents is public
		Resolved		• csteipp	T85855 Custom JavaScript may yield privilege escalation
		Resolved		• csteipp	T85851 Reflected XSS in api.php using wddx formatting
		Resolved		• csteipp	T85850 Stored XSS in SVG via embedded SVG
		Resolved		• csteipp	T85848 Billion Laughs attack in SVG and XMP Metadata
		Resolved		• csteipp	T88310 xml_parse doesn't expand internal entities sometimes
		Resolved		Parent5446	T85349 SVG @import style validation bypass
		Resolved		Parent5446	T64685 Extremely large passwords as DoS
					Restricted Task
		Resolved		• csteipp	T89744 External reference in PDF
		Resolved		• csteipp	T89745 Stored XSS in PDF files

Event Timeline

• csteipp created this task.Jan 5 2015, 9:27 PM

• csteipp claimed this task.

• csteipp raised the priority of this task from to Needs Triage.

• csteipp updated the task description. (Show Details)

• csteipp added a project: acl*security.

• csteipp changed Security from None to Software security bug.

• csteipp subscribed.

Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 5 2015, 9:27 PM

Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

• csteipp added subtasks: T85860: User access roles are public, T85858: Check User page lacks CSRF protection, T85856: Add warning to user Javascript files, warning the contents is public, T85855: Custom JavaScript may yield privilege escalation, T85851: Reflected XSS in api.php using wddx formatting, T85850: Stored XSS in SVG via embedded SVG, T85848: Billion Laughs attack in SVG and XMP Metadata, T85349: SVG @import style validation bypass, T64685: Extremely large passwords as DoS.Jan 5 2015, 9:28 PM

Parent5446 subscribed.Jan 5 2015, 11:15 PM

matmarex subscribed.Jan 6 2015, 12:59 AM

• csteipp closed subtask T85860: User access roles are public as Declined.Jan 9 2015, 12:42 AM

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 9 2015, 12:42 AM

Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

• csteipp added a subtask: Restricted Task.Jan 14 2015, 12:29 AM

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 14 2015, 12:29 AM

Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

• csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.Jan 20 2015, 11:11 PM

• csteipp closed subtask T85858: Check User page lacks CSRF protection as Resolved.

• csteipp closed subtask T85349: SVG @import style validation bypass as Resolved.

• csteipp closed subtask T64685: Extremely large passwords as DoS as Resolved.Jan 23 2015, 8:10 PM

• csteipp reopened subtask T85850: Stored XSS in SVG via embedded SVG as Open.Jan 28 2015, 12:26 AM

faidon closed subtask Restricted Task as Declined.Jan 28 2015, 9:51 PM

greg added a parent task: T88120: Release MW 1.24.2 and 1.23.9 tarballs.Jan 30 2015, 6:00 PM

iSec added the issues that are now T89744 and T89745 when they finalized their version of the report last week.

• csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.Feb 17 2015, 11:56 PM

• csteipp closed subtask T85855: Custom JavaScript may yield privilege escalation as Resolved.Feb 18 2015, 1:12 AM

• csteipp closed subtask T85848: Billion Laughs attack in SVG and XMP Metadata as Resolved.Mar 17 2015, 11:33 PM

• csteipp closed subtask T85851: Reflected XSS in api.php using wddx formatting as Resolved.Mar 28 2015, 5:27 AM

Krenair mentioned this in T87275: MediaWiki Security release 1.24.2.Apr 3 2015, 11:19 PM

• csteipp closed subtask T89744: External reference in PDF as Resolved.Apr 20 2015, 5:20 PM

• csteipp closed subtask T89745: Stored XSS in PDF files as Resolved.

• csteipp closed this task as Resolved.Apr 21 2015, 4:44 PM

• csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".

• csteipp changed the edit policy from "Custom Policy" to "All Users".

• csteipp changed Security from Software security bug to None.

Ricordisamoa subscribed.Apr 21 2015, 9:07 PM

• csteipp edited projects, added Security-Team; removed acl*security.May 6 2015, 11:56 PM

Bawolff closed subtask T85856: Add warning to user Javascript files, warning the contents is public as Resolved.Feb 3 2017, 9:00 AM

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:20 PM