Page MenuHomePhabricator
Feed Advanced Search

Thu, Sep 12

sbassett added a comment to T203129: Define Suppress grants.

Some thoughts:

Thu, Sep 12, 8:14 PM · Core Platform Team, Trust-and-Safety, Privacy, Security-Team, WMF-Legal, User-Rxy, Patch-For-Review, MediaWiki-General
sbassett changed the visibility for T232697: Wikimedia documentation unavailable: js blocked due to CSP.
Thu, Sep 12, 3:22 PM · User-Rxy, Patch-For-Review, Documentation, Security
sbassett added a comment to T232697: Wikimedia documentation unavailable: js blocked due to CSP.

Is there a reason that this task should remain non-public? Duplicate https://phabricator.wikimedia.org/T232704 is also public.

Thu, Sep 12, 3:22 PM · User-Rxy, Patch-For-Review, Documentation, Security
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

Thanks! That sounds good. Should I rebase the security branch with latest changes to master?

Thu, Sep 12, 3:16 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews

Wed, Sep 11

sbassett added a comment to T230304: Ongoing spambot attack 2019-08-{10,11,.*}.

Given that this still appears to be the most recent spambot attack task, I thought I'd provide a small update here. I wrote some python that generates basic stats on new account creations and whether or not IPs associated with those users (as found within logstash) appear within StopForumSpam's various black lists. Here are some of the results for some of the recent, affected projects (e.g. T227416#5348535 etc):

Wed, Sep 11, 10:50 PM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

Update: @Reedy and I are having a look at this and T230140 and should have some reports soon. We're going to timebox to maybe two weeks or so - hopefully that doesn't push back too much on any targeted deployment dates.

Wed, Sep 11, 9:56 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett added a comment to T227726: Security review of preact 8.4.2.

Hey @Jdlrobson - I just wanted to check in and see if there had been any updates on your end (re: the current likelihood of using preact) and if you had a chance to chat with the Performance Team about this yet. I still owe you some security best practices around using preact, which I can hopefully provide sometime soon. Thanks.

Wed, Sep 11, 9:55 PM · Readers-Web-Backlog (Tracking), Security-Team-Reviews

Tue, Sep 10

sbassett added a comment to T131207: Create a checkuser entry for global rename requests.

Per T131207#2164035, it looks like this is how AF does it:

if ( ExtensionRegistry::getInstance()->isLoaded( 'CheckUser' )
      && strpos( $wgAbuseFilterNotifications, 'rc' ) === false
) {
      $rc = $entry->getRecentChange();
      CheckUserHooks::updateCheckUserData( $rc );
}

I'm guessing the relevant place to do something similar in CA is probably in GlobalRenameUser.php around here, since there's a ManualLogEntry there where we could call getRecentChange() as the rename was processed. Or at least this seems the simplest way to do the CU logging piece without getting more advanced as discussed in T131207#2212568.

Tue, Sep 10, 8:20 PM · User-Huji, MediaWiki-extensions-CentralAuth, CheckUser, GlobalRename, Stewards-and-global-tools
sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Tue, Sep 10, 7:30 PM · Security-Team
sbassett added a comment to T231386: dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues.

@Reedy - lol, wasn't commanding, just noting :)

Tue, Sep 10, 7:24 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MW-1.33-notes, MediaWiki-Special-pages, Vuln-Misconfiguration, Restricted Project
sbassett added a comment to T231386: dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues.

@Reedy Er, REL1_32 still appears un-merged as it needs the 301-checking in dispatch()?

Tue, Sep 10, 7:22 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MW-1.33-notes, MediaWiki-Special-pages, Vuln-Misconfiguration, Restricted Project
sbassett moved T207246: Do a security audit of *.planet.wikimedia.org from In Progress to Backlog on the Security-Team-Reviews board.
Tue, Sep 10, 5:07 PM · Security-Team-Reviews
sbassett added a project to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions: Restricted Project.
Tue, Sep 10, 4:59 PM · Restricted Project, SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
sbassett moved T232352: Remove Michal Anna Marble from security@ alias in exim from Backlog to Done on the Security-Team board.
Tue, Sep 10, 4:58 PM · Security-Team, Operations
sbassett moved T231518: Add *.wmflabs.org to w.wiki shortener from Backlog to Done on the Security-Team board.
Tue, Sep 10, 4:58 PM · Wikimedia-Site-requests, Security-Team, MediaWiki-extensions-UrlShortener
sbassett closed T231608: Security access for Tchanders as Resolved.

All- @Tchanders' access was approved last week and I guess @Reedy actually added them to the project already. Let us know if anything else is needed.

Tue, Sep 10, 4:23 PM · Security-Team

Mon, Sep 9

sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 7:27 PM · Security-Team
sbassett added a comment to T230304: Ongoing spambot attack 2019-08-{10,11,.*}.

@Urbanecm - I'm not sure I even have perms to change subtypes, don't know much about that feature to be honest. I'd probably recommend reaching out to a Phab admin (@Reedy, @Aklapper, et al) to confirm.

Mon, Sep 9, 5:14 PM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 3:27 PM · Security-Team
sbassett triaged T232353: Remove mmarble from wmf LDAP group as Normal priority.
Mon, Sep 9, 3:27 PM · Security-Team, LDAP-Access-Requests
sbassett created T232353: Remove mmarble from wmf LDAP group.
Mon, Sep 9, 3:27 PM · Security-Team, LDAP-Access-Requests
sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 3:20 PM · Security-Team
sbassett triaged T232352: Remove Michal Anna Marble from security@ alias in exim as Normal priority.
Mon, Sep 9, 3:20 PM · Security-Team, Operations
sbassett created T232352: Remove Michal Anna Marble from security@ alias in exim.
Mon, Sep 9, 3:20 PM · Security-Team, Operations
sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 3:16 PM · Security-Team
sbassett updated the task description for T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 2:58 PM · Security-Team
sbassett triaged T232348: Offboard Michal Anna from Security Team as Normal priority.
Mon, Sep 9, 2:53 PM · Security-Team
sbassett created T232348: Offboard Michal Anna from Security Team.
Mon, Sep 9, 2:51 PM · Security-Team
sbassett added a comment to T231518: Add *.wmflabs.org to w.wiki shortener.

@Urbanecm That'd be functionally equivalent in some ways, though seems to have originally been for a different purpose. Also, editing Hiera configs and using the Horizon tool isn't quite as user-friendly as the UI for w.wiki (and most other url shorteners) IMO.

Mon, Sep 9, 2:40 PM · Wikimedia-Site-requests, Security-Team, MediaWiki-extensions-UrlShortener
sbassett added a comment to T231518: Add *.wmflabs.org to w.wiki shortener.

I would love if we could use a URL shortener for Wmflabs

Mon, Sep 9, 1:56 PM · Wikimedia-Site-requests, Security-Team, MediaWiki-extensions-UrlShortener

Fri, Sep 6

sbassett triaged T221272: Expose new ipblocks.ipb_sitewide column to the replicas as Normal priority.
Fri, Sep 6, 8:55 PM · cloud-services-team (Kanban), Patch-For-Review, Data-Services, Security-Team, Anti-Harassment
sbassett added a comment to T221272: Expose new ipblocks.ipb_sitewide column to the replicas.

@Bstorm - just +1'd the patch with a comment. ipb_sitewide is low risk IMO.

Fri, Sep 6, 8:55 PM · cloud-services-team (Kanban), Patch-For-Review, Data-Services, Security-Team, Anti-Harassment

Tue, Sep 3

sbassett renamed T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124) from XSS in edit summary for ex:MobileFrontend Special:Watchlist to XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).
Tue, Sep 3, 6:05 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T229620: if phabricator users are blocked due to IP range blocks send a 4xx rather than 500.

@Urbanecm - Task IDs and even protected Phabricator project names should be fine, as those aren't published or accessible for unprivileged Phabricator/anon users. It's really just some of the sensitive details within certain protected tasks which should never be made public or discussed on related public tasks. Thanks.

Tue, Sep 3, 5:40 PM · Security, Phabricator
sbassett moved T230140: Security Review For MediaWiki REST API infrastructure from Backlog to In Progress on the Security-Team-Reviews board.
Tue, Sep 3, 4:55 PM · Security-Team-Reviews
sbassett changed the visibility for T229620: if phabricator users are blocked due to IP range blocks send a 4xx rather than 500.
Tue, Sep 3, 4:32 PM · Security, Phabricator
sbassett added a comment to T229620: if phabricator users are blocked due to IP range blocks send a 4xx rather than 500.

Discussed with the Security-Team this morning - we're fine making this task public as long as no sensitive issues from the related protected tasks are discussed here.

Tue, Sep 3, 4:32 PM · Security, Phabricator

Fri, Aug 30

sbassett added a comment to T231608: Security access for Tchanders.

I will remind everyone that we're talking about a WMF employee here.
I can understand high scrutiny in general, but I don't see a how adding an employee to the access group is not something -- honestly -- that we do automatically. If there ever is a reason that a specific employee of the Foundation should not be exposed to security tickets (current or old) then we have a bigger issue about whether or not they should be employed to begin with.

Fri, Aug 30, 9:30 PM · Security-Team
sbassett added a comment to T231608: Security access for Tchanders.

(where? IRC?)

Fri, Aug 30, 9:23 PM · Security-Team
sbassett added a comment to T231608: Security access for Tchanders.

@Niharika - I think you've illustrated part of the point here: that individuals can be added to Security -protected tasks on a case-by-case basis, as opposed to the entire collection of previous and future tasks. As noted, anyone with Security access can do this, when a demonstrated need arises. The higher bar is merely an effort to more tightly control access to Security tasks, i.e. has the requester only ever worked on a couple of protected tasks or have they worked on several with a likely need for access to future tasks (and potentially older tasks).

Fri, Aug 30, 9:02 PM · Security-Team
sbassett added a comment to T231608: Security access for Tchanders.

@Niharika - Yes. We've lately been trying to limit access even further to Security to those who absolutely need it (as opposed to just kind of want it.) Given @Tchanders's role on the AH team and the tasks you've provided, I think they probably meet these requirements, but again, we'll confirm this at our Security-Team check-in next week.

Fri, Aug 30, 8:43 PM · Security-Team
sbassett moved T231265: Document Security Council on-wiki from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:28 PM · Documentation, Security-Team
sbassett moved T218091: Security Team quarterly check in for April - June 2019 from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:19 PM · Security-Team
sbassett moved T213366: [2 hrs] Decide on handling system updates for Proton from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:12 PM · Product-Infrastructure-Team-Backlog, Security-Team, Operations, Proton
sbassett moved T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th) from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:12 PM · Security-Team
sbassett moved T228927: Add sguebo_WMF to WMF LDAP group from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:12 PM · LDAP-Access-Requests, Trust-and-Safety, Security-Team, Operations
sbassett moved T209572: Feature Policy Reporting origin trial from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:11 PM · MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), Security-Team, Performance-Team
sbassett moved T230521: Users are unable to create more than 2 accounts per day from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:11 PM · User-Urbanecm, Collaboration-Community-Engagement, Security-Team
sbassett moved T216682: Switch WMF production to Argon2 password hashes from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:11 PM · Security-Team, MediaWiki-User-login-and-signup
sbassett moved T221639: Establish Foundation's Security Council from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T221642: Create an Acceptable Use Policy from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T221659: Provide a training session for the new Acceptable Use Policy, once it is approved from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T221662: Finalize and test our Security Incident Response documentation from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T221663: Perform 1 large scale tabletop exercise in fiscal 4Q 2019 from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T221664: Create incident play by play dashboard from Backlog to Done on the Security-Team board.
Fri, Aug 30, 4:10 PM · Security-Team
sbassett moved T231608: Security access for Tchanders from Backlog to In Progress on the Security-Team board.

@Tchanders - the Security-Team will discuss this at our team meeting next Tuesday (September 4th). In the meantime, can you post a few recent security-protected tasks here where you recently needed individual access? Thanks.

Fri, Aug 30, 2:13 PM · Security-Team
sbassett triaged T231608: Security access for Tchanders as Normal priority.
Fri, Aug 30, 2:11 PM · Security-Team

Tue, Aug 27

sbassett added a watcher for Security-Team: sbassett.
Tue, Aug 27, 9:56 PM
sbassett moved T231386: dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Tue, Aug 27, 8:53 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MW-1.33-notes, MediaWiki-Special-pages, Vuln-Misconfiguration, Restricted Project
sbassett triaged T231386: dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues as Low priority.
Tue, Aug 27, 8:53 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MW-1.33-notes, MediaWiki-Special-pages, Vuln-Misconfiguration, Restricted Project
sbassett created T231386: dispatchUser() in SpecialRedirect.php should use a 302 http status code instead of a 301 to avoid certain caching issues.
Tue, Aug 27, 8:52 PM · MW-1.34-notes (1.34.0-wmf.23; 2019-09-17), MW-1.33-notes, MediaWiki-Special-pages, Vuln-Misconfiguration, Restricted Project
sbassett updated subscribers of T226453: Concept URI in sidebar uses HTTP instead of HTTPS.
Tue, Aug 27, 4:16 PM · Privacy, Wikidata, MediaWiki-extensions-WikibaseRepository

Fri, Aug 23

sbassett added a comment to T229718: Security review for PageNotice extension.

The Security-Team is trying to get away from providing a "pass" or "thumbs up" for code during security reviews, as it assumes a level of accountability on our part which we cannot sustain. So we are adopting the more standard system of risk classification and risk ownership for our security reviews. This entails us performing a risk analysis during the review process and then assigning and communicating a level of risk to the requesters/owners of the code. The levels of risk we're using within our analyses are:

Fri, Aug 23, 3:11 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews

Thu, Aug 22

sbassett created P8964 Foundation wiki CSP.
Thu, Aug 22, 9:07 PM
sbassett created P8963 CentralNotice banner support CSP.
Thu, Aug 22, 9:06 PM
sbassett updated the language for P8962 Core CSP report-only from css to text.
Thu, Aug 22, 9:04 PM
sbassett updated the language for P8962 Core CSP report-only from php to css.
Thu, Aug 22, 9:04 PM
sbassett updated the language for P8962 Core CSP report-only from shell to php.
Thu, Aug 22, 9:03 PM
sbassett updated the language for P8962 Core CSP report-only from js to shell.
Thu, Aug 22, 9:03 PM
sbassett updated the language for P8962 Core CSP report-only from html to js.
Thu, Aug 22, 9:03 PM
sbassett created P8962 Core CSP report-only.
Thu, Aug 22, 9:03 PM
sbassett moved T227209: Security Review For Parsoid-PHP from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Thu, Aug 22, 2:41 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews
sbassett closed T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124) as Resolved.

Backports complete in gerrit, resolving task for now.

Thu, Aug 22, 2:18 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Wed, Aug 21

sbassett changed the visibility for T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).
Wed, Aug 21, 9:30 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett created T230951: Transfer ownership of mediawiki-security mailman list to Security Team.
Wed, Aug 21, 6:48 PM · Wikimedia-Mailing-lists, Operations
sbassett moved T216419: Security review - Wikibase Termbox Front End from Frozen to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett moved T216419: Security review - Wikibase Termbox Front End from Awaiting remediation to Frozen on the Security-Team-Reviews board.
Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett closed T216419: Security review - Wikibase Termbox Front End as Resolved.

@WMDE-leszek @RazShuty - Just talked with @JBennett. Looks like everything is official re: risk ownership, so I'm going to resolve this task for now. Thanks everyone for all of the patience on working through this review and risk ownership assessment.

Wed, Aug 21, 3:29 PM · Restricted Project, Security-Team-Reviews
sbassett moved T227591: Security Concept Review for the machine vision middleware project from Awaiting remediation to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 2:12 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett closed T227591: Security Concept Review for the machine vision middleware project, a subtask of T226119: Build middleware to utilize machine vision API for structured data on commons depicts tag suggestion tool, as Resolved.
Wed, Aug 21, 2:11 PM · Epic, Machine vision, Product-Infrastructure-Team-Backlog
sbassett closed T227591: Security Concept Review for the machine vision middleware project as Resolved.

We're talking with them about what we're doing, and will follow up with them when we're code-complete.

Wed, Aug 21, 2:11 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett moved T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries from Frozen to Archive on the Security-Team-Reviews board.
Wed, Aug 21, 2:05 PM · Security-Team-Reviews, Upstream, JavaScript, Maps, Graphs
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

Hey @ssastry - thanks for cutting the security review branch. @Reedy and I will plan to review that soon and reach out to @Arlolra with any questions.

Wed, Aug 21, 2:04 PM · Restricted Project, Parsoid-PHP, Security-Team-Reviews

Tue, Aug 20

sbassett triaged T230796: Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task] as Normal priority.
Tue, Aug 20, 4:23 PM · Wikimedia-General-or-Unknown, Security-Team, Security
sbassett added a comment to T230796: Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task].

@MarcoAurelio - +1'd both of these. I should be able to security-deploy these sometime today. Is it time to consider a project closure request?

Tue, Aug 20, 3:34 PM · Wikimedia-General-or-Unknown, Security-Team, Security
sbassett triaged T230805: Confirmation of flag assignment by other bureaucrats as Normal priority.
Tue, Aug 20, 2:47 PM · MediaWiki-User-management

Mon, Aug 19

sbassett moved T229718: Security review for PageNotice extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Mon, Aug 19, 2:02 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews
sbassett closed T229718: Security review for PageNotice extension, a subtask of T61245: Review the PageNotice extension for deployment, as Resolved.
Mon, Aug 19, 2:01 PM · MediaWiki-extensions-PageNotice, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
sbassett closed T229718: Security review for PageNotice extension as Resolved.

Re number 6, there are already many avenues to deface the wiki if you have edit access to the MediaWiki: namespace. Editing MediaWiki:Sitenotice would have a similar effect as creating a page notice. I don't think the fact that this extension adds another avenue is of any special concern.

Mon, Aug 19, 2:01 PM · MediaWiki-extensions-PageNotice, Security-Team-Reviews

Sat, Aug 17

sbassett committed rEPNO212920de645a: Adding phan-taint-check support via extra field (authored by sbassett).
Adding phan-taint-check support via extra field
Sat, Aug 17, 11:09 PM

Fri, Aug 16

sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).

Update: CVE-2019-15124.

Fri, Aug 16, 9:43 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett removed a project from T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124): Patch-For-Review.
Fri, Aug 16, 7:59 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett lowered the priority of T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124) from Unbreak Now! to High.
Fri, Aug 16, 7:51 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).

Patch tested locally, worked fine. Deployed patch to wmf/1.34.0-wmf.17 and tested. I'll request another CVE for this one. Once I have the id, I'll make this task public and backport to master and supported release branches in gerrit.

Fri, Aug 16, 7:50 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Aug 16 2019

sbassett updated the task description for T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).
Aug 16 2019, 2:02 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security

Aug 15 2019

sbassett added a project to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124): Patch-For-Review.
Aug 15 2019, 8:47 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).

Proposed patch, same mitigation as T229541:

Aug 15 2019, 8:46 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett added a comment to T230304: Ongoing spambot attack 2019-08-{10,11,.*}.

@Urbanecm - looks like other spambot incidents have been made public in the past, so I think it's fine to do so here. Nothing terribly secret on this particular task.

Aug 15 2019, 8:38 PM · User-Urbanecm, Wikimedia-General-or-Unknown, Security
sbassett triaged T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124) as Unbreak Now! priority.
Aug 15 2019, 8:34 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security
sbassett created T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).
Aug 15 2019, 8:32 PM · MW-1.34-notes (1.34.0-wmf.20; 2019-08-27), Vuln-XSS, MobileFrontend, Security