Page MenuHomePhabricator

mmartorana (manfredi martorana)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Nov 5 2021, 2:54 PM (81 w, 4 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
MMartorana (WMF) [ Global Accounts ]

Recent Activity

Yesterday

mmartorana added a comment to T337347: Security Issue Access Request for EMagallanes.

Hi @EMagallanes - I have included you in the acl-security-legal group. Could you please verify if the permissions appear correct at this time? Thank you.

Mon, May 29, 2:18 PM · Security-Team, Security
mmartorana added a member for acl*security_legal: EMagallanes.
Mon, May 29, 2:13 PM

Wed, May 24

mmartorana added a comment to T337347: Security Issue Access Request for EMagallanes.

Hi @EMagallanes - To proceed, we kindly request your manager's approval.

Wed, May 24, 5:23 PM · Security-Team, Security
mmartorana changed the status of T337347: Security Issue Access Request for EMagallanes from Open to In Progress.
Wed, May 24, 5:18 PM · Security-Team, Security

Tue, May 16

mmartorana moved T334962: Security Review re: Redeployment of ParserMigration extension to production from In Progress to Our Part Is Done on the secscrum board.
Tue, May 16, 4:42 PM · secscrum, Application Security Reviews, Security-Team

Thu, May 11

mmartorana moved T334962: Security Review re: Redeployment of ParserMigration extension to production from In Progress to Our Part Is Done on the Security-Team board.

Security Review Summary - T334962 - 2023-05-11
Last commit reviewed: 8015a9c

Thu, May 11, 4:23 PM · secscrum, Application Security Reviews, Security-Team

Tue, May 9

mmartorana added a comment to T335981: let Eoghan see security tickets in Phabricator.

Hey @eoghan - I have included you in the acl-security-sre group. Could you please verify if the permissions appear correct at this time? Thank you.

Tue, May 9, 3:47 PM · SecTeam-Processed, Security, Security-Team, serviceops-collab
mmartorana added a member for acl*security_sre: eoghan.
Tue, May 9, 3:45 PM
mmartorana changed the status of T335981: let Eoghan see security tickets in Phabricator from Open to In Progress.
Tue, May 9, 2:51 PM · SecTeam-Processed, Security, Security-Team, serviceops-collab

Wed, May 3

mmartorana changed the status of T334962: Security Review re: Redeployment of ParserMigration extension to production, a subtask of T333179: (Re)deploy ParserMigration extension to production, from Open to In Progress.
Wed, May 3, 3:14 PM · Patch-For-Review, Wikimedia-extension-review-queue, Wikimedia-Extension-setup, MediaWiki-extensions-ParserMigration, Content-Transform-Team-WIP, Parsoid
mmartorana changed the status of T334962: Security Review re: Redeployment of ParserMigration extension to production from Open to In Progress.
Wed, May 3, 3:13 PM · secscrum, Application Security Reviews, Security-Team

Apr 28 2023

mmartorana closed T334897: Security Issue Access Request for krabina as Declined.

Hi - we appreciate your inquire, but we regret to inform you that we currently do not provide support for this particular form of pre-release access and have no immediate plans to do so.

Apr 28 2023, 4:08 PM · SecTeam-Processed, Security-Team, Security

Apr 26 2023

mmartorana changed the status of T334897: Security Issue Access Request for krabina from Open to In Progress.
Apr 26 2023, 5:14 PM · SecTeam-Processed, Security-Team, Security

Apr 24 2023

mmartorana changed the visibility for T333723: w.wiki + ?withJS= allows an intadmin on any wiki to launch phishing attacks on all wikis, or lets any user trick people into running unwanted JS.
Apr 24 2023, 4:43 PM · Vuln-Misconfiguration, MediaWiki-extensions-UrlShortener, Security, Security-Team
mmartorana added a comment to T333723: w.wiki + ?withJS= allows an intadmin on any wiki to launch phishing attacks on all wikis, or lets any user trick people into running unwanted JS.

Hi - this task will be made public soon.

Apr 24 2023, 3:08 PM · Vuln-Misconfiguration, MediaWiki-extensions-UrlShortener, Security, Security-Team

Apr 7 2023

mmartorana closed T333723: w.wiki + ?withJS= allows an intadmin on any wiki to launch phishing attacks on all wikis, or lets any user trick people into running unwanted JS as Declined.

As previously mentioned, the additional powers granted by int-admin privileges already pose a significant risk in terms of potential damage. Therefore, restricting the use of withJS would result in more limitations than benefit for this particular scenario.

Apr 7 2023, 3:21 PM · Vuln-Misconfiguration, MediaWiki-extensions-UrlShortener, Security, Security-Team
mmartorana changed the visibility for T332495: CVE-2023-21036 (Cropped PNG files uploaded from Google Pixel still include cropped image data).
Apr 7 2023, 3:02 PM · SecTeam-Processed, UploadWizard, Vuln-Infoleak, Security, Security-Team
mmartorana closed T332495: CVE-2023-21036 (Cropped PNG files uploaded from Google Pixel still include cropped image data) as Declined.

As mentioned in the preceding comments, unfortunately, the Security-Team cannot dedicate their efforts to resolving this issue due to its high level of complexity and negligible potential impact.

Apr 7 2023, 3:02 PM · SecTeam-Processed, UploadWizard, Vuln-Infoleak, Security, Security-Team
mmartorana changed the status of T333723: w.wiki + ?withJS= allows an intadmin on any wiki to launch phishing attacks on all wikis, or lets any user trick people into running unwanted JS from Open to In Progress.
Apr 7 2023, 2:33 PM · Vuln-Misconfiguration, MediaWiki-extensions-UrlShortener, Security, Security-Team

Apr 4 2023

mmartorana added a comment to T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).

Supplemental announcement is out!

Apr 4 2023, 8:06 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana changed the visibility for T331192: CVE-2023-29135: CheckUser 'get users' form vulnerable to HTML injection through usernames.
Apr 4 2023, 7:08 PM · Patch-For-Review, Vuln-XSS, SecTeam-Processed, Vuln-Inject, Security-Team, Security, CheckUser
mmartorana changed the visibility for T331321: CVE-2023-29133: XSS in Searchtext formatter in Cargo.
Apr 4 2023, 7:07 PM · Vuln-XSS, MediaWiki-extensions-Cargo, Security, Security-Team
mmartorana changed the visibility for T330406: CVE-2023-28447: Make a security release of Extension:Widgets due to Smarty RCE vulns.
Apr 4 2023, 7:06 PM · Patch-For-Review, Vuln-VulnComponent, SecTeam-Processed, MediaWiki-extensions-Widgets, Security, Security-Team
mmartorana changed the visibility for T278365: CVE-2023-29138: Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes.
Apr 4 2023, 7:05 PM · Security-Team, SecTeam-Processed, CheckUser, Security
mmartorana updated the task description for T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).
Apr 4 2023, 5:09 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).
Apr 4 2023, 4:48 PM · user-sbassett, MediaWiki-Releasing, Security

Apr 3 2023

mmartorana added a comment to T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.10/1.38.6/1.39.3)

Apr 3 2023, 3:53 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T278365: CVE-2023-29138: Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes as Resolved.
Apr 3 2023, 3:23 PM · Security-Team, SecTeam-Processed, CheckUser, Security
mmartorana renamed T328643: CVE-2023-29137: GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users from GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users to CVE-2023-29137: GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users.
Apr 3 2023, 3:21 PM · MW-1.40-notes (1.40.0-wmf.24; 2023-02-20), SecTeam-Processed, Vuln-Infoleak, GrowthExperiments-ImpactModule, Growth-Team (Current Sprint), Security, Security-Team
mmartorana renamed T278365: CVE-2023-29138: Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes from Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes to CVE-2023-29138: Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes.
Apr 3 2023, 3:20 PM · Security-Team, SecTeam-Processed, CheckUser, Security
mmartorana renamed T327613: CVE-2023-29140: GrowthExperiments new impact module shows revdeleted edits from GrowthExperiments new impact module shows revdeleted edits to CVE-2023-29140: GrowthExperiments new impact module shows revdeleted edits.
Apr 3 2023, 3:19 PM · SecTeam-Processed, GrowthExperiments-ImpactModule, Vuln-Infoleak, Growth-Team (Current Sprint), Security, Security-Team
mmartorana renamed T326293: CVE-2023-29139: API request timeout - CheckUserLog from API request timeout - CheckUserLog to CVE-2023-29139: API request timeout - CheckUserLog.
Apr 3 2023, 3:19 PM · MW-1.40-notes (1.40.0-wmf.18; 2023-01-09), CheckUser, Vuln-DoS, SecTeam-Processed, Wikimedia-production-error, Security, Security-Team
mmartorana updated the task description for T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).
Apr 3 2023, 3:15 PM · user-sbassett, MediaWiki-Releasing, Security

Mar 31 2023

mmartorana changed the visibility for T329417: Cross-site scripting in fancy signatures.
Mar 31 2023, 3:40 PM · SecTeam-Processed, MediaWiki-Parser, Security, Security-Team
mmartorana changed the status of T332889: XSS in BlockLogFormatter due to unsafe message use from Open to In Progress.
Mar 31 2023, 3:26 PM · SecTeam-Processed, MW-1.41-notes (1.41.0-wmf.10; 2023-05-23), MW-1.35-notes, MW-1.38-notes, MW-1.39-notes, MW-1.40-notes, MediaWiki-Blocks, Vuln-XSS, Security, Security-Team
mmartorana moved T324536: Application Security Review Request: RealMe from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T324536 - 2023-03-31
Last commit reviewed: 536706d

Mar 31 2023, 3:22 PM · RealMe, secscrum, Security, Application Security Reviews

Mar 27 2023

mmartorana added a comment to T332495: CVE-2023-21036 (Cropped PNG files uploaded from Google Pixel still include cropped image data).

Hi @NCommander - thanks for reporting this issue.
In case anyone is interested in writing a patch that can enhance the processing of PNG files with crop information and reject any data beyond the IEND binary marker, we would be open to that. Please note that it's not our system but Android devices that are susceptible to this issue.

Mar 27 2023, 2:48 PM · SecTeam-Processed, UploadWizard, Vuln-Infoleak, Security, Security-Team

Mar 24 2023

mmartorana changed the status of T332495: CVE-2023-21036 (Cropped PNG files uploaded from Google Pixel still include cropped image data) from Open to In Progress.
Mar 24 2023, 6:03 PM · SecTeam-Processed, UploadWizard, Vuln-Infoleak, Security, Security-Team

Mar 20 2023

mmartorana closed T329417: Cross-site scripting in fancy signatures as Resolved.

Although the presence of executable javascript code may seem concerning, the appearance of such code without actual execution is unlikely to cause harm. Unfortunately, there is little that can be done about this issue as MediaWiki allows both legitimate HTML tags and escaped HTML as valid wikitext output.
There may even be a MediaWiki page about a component of javascript that may require displaying apparently valid HTML and javascript code.

Mar 20 2023, 2:34 PM · SecTeam-Processed, MediaWiki-Parser, Security, Security-Team

Mar 13 2023

mmartorana added a comment to T329417: Cross-site scripting in fancy signatures.

Hi @alex-mashin - I'm sorry, but I'm not able to reproduce the problem in version 1.35 either. Could you please give me more information to help me understand the issue better?

Mar 13 2023, 5:28 PM · SecTeam-Processed, MediaWiki-Parser, Security, Security-Team

Mar 8 2023

mmartorana added a comment to T329417: Cross-site scripting in fancy signatures.

Hi @alex-mashin - I cannot reproduce this issue in current master version as well.

Mar 8 2023, 4:30 PM · SecTeam-Processed, MediaWiki-Parser, Security, Security-Team

Feb 16 2023

mmartorana changed the status of T329417: Cross-site scripting in fancy signatures from Open to In Progress.
Feb 16 2023, 4:39 PM · SecTeam-Processed, MediaWiki-Parser, Security, Security-Team

Feb 6 2023

mmartorana added a member for acl*security_developer: pfischer.
Feb 6 2023, 4:01 PM

Feb 3 2023

mmartorana closed T327746: Security Issue Access Request for pfischer as Resolved.
Feb 3 2023, 4:53 PM · SecTeam-Processed, Security-Team, Security

Jan 31 2023

mmartorana added a comment to T327746: Security Issue Access Request for pfischer.

Hi @pfischer - security access has been granted.

Jan 31 2023, 6:35 PM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for Security: pfischer.
Jan 31 2023, 6:34 PM
mmartorana changed the status of T327746: Security Issue Access Request for pfischer from Open to In Progress.
Jan 31 2023, 6:31 PM · SecTeam-Processed, Security-Team, Security

Jan 27 2023

mmartorana closed T316523: Application Security Review Request : swaggest/json-diff PHP library, a subtask of T316813: Add `swaggest/json-diff` library to be available for Wikibase on WMF wikis, as Resolved.
Jan 27 2023, 10:41 PM · Wikibase Product Platform (Sprint 21)
mmartorana closed T316523: Application Security Review Request : swaggest/json-diff PHP library as Resolved.
Jan 27 2023, 10:41 PM · Linked-Open-Data-Network-Program, Wikibase Product Platform, secscrum, Security, Application Security Reviews

Jan 25 2023

mmartorana closed T326752: Security Issue Access Request for Stevemunene as Resolved.

Hi @Stevemunene - Access has been granted.

Jan 25 2023, 4:28 PM · SecTeam-Processed, Security-Team, Security
mmartorana added a member for Security: Stevemunene.
Jan 25 2023, 4:21 PM

Jan 24 2023

mmartorana added a comment to T316523: Application Security Review Request : swaggest/json-diff PHP library.

Hi @WMDE-leszek - A risk rating of medium requires mitigations to reduce to a lower risk level or risk acceptance/ownership at the manager/director level at the WMF.

Jan 24 2023, 4:22 PM · Linked-Open-Data-Network-Program, Wikibase Product Platform, secscrum, Security, Application Security Reviews

Jan 20 2023

mmartorana moved T316523: Application Security Review Request : swaggest/json-diff PHP library from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T316523 - 2023-01-20

Jan 20 2023, 5:15 PM · Linked-Open-Data-Network-Program, Wikibase Product Platform, secscrum, Security, Application Security Reviews

Jan 17 2023

mmartorana added a comment to T326752: Security Issue Access Request for Stevemunene.

Hi SRE and @Stevemunene - Can we get your manager's approval, please?

Jan 17 2023, 7:16 PM · SecTeam-Processed, Security-Team, Security
mmartorana changed the status of T326752: Security Issue Access Request for Stevemunene from Open to In Progress.
Jan 17 2023, 7:14 PM · SecTeam-Processed, Security-Team, Security

Jan 12 2023

mmartorana changed the visibility for T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).
Jan 12 2023, 7:35 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana closed T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1) as Resolved.
Jan 12 2023, 7:13 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana added a comment to T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).

Supplemental announcement is out!

Jan 12 2023, 7:12 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana renamed T149488: CVE-2023-22911: E:Widgets does widget replacement in html attributes potentially leading to XSS from E:Widgets does widget replacement in html attributes potentially leading to XSS (CVE-2023-22911) to CVE-2023-22911: E:Widgets does widget replacement in html attributes potentially leading to XSS .
Jan 12 2023, 6:28 PM · Security, MediaWiki-extensions-Widgets, Vuln-XSS
mmartorana renamed T323592: CVE-2023-22910: XSS in Wikibase date formatting from XSS in Wikibase date formatting to CVE-2023-22910: XSS in Wikibase date formatting.
Jan 12 2023, 6:27 PM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), SecTeam-Processed, Wikidata Dev Team (Sprint-∞), Vuln-XSS, Wikidata, Security, Security-Team
mmartorana renamed T320987: CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries from CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909) to CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries.
Jan 12 2023, 6:26 PM · MW-1.40-notes (1.40.0-wmf.12; 2022-11-28), DBA, SecTeam-Processed, Vuln-DoS, MobileFrontend, Security, Security-Team
mmartorana renamed T320987: CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries from [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909) to CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries (CVE-2023-22909).
Jan 12 2023, 6:25 PM · MW-1.40-notes (1.40.0-wmf.12; 2022-11-28), DBA, SecTeam-Processed, Vuln-DoS, MobileFrontend, Security, Security-Team
mmartorana renamed T315123: CVE-2023-22912: CheckUser TokenManager insecurely uses AES-CTR encryption with repeated nonce, allowing an adversary to decrypt from CheckUser TokenManager insecurely uses AES-CTR encryption with repeated nonce, allowing an adversary to decrypt to CVE-2023-22912: CheckUser TokenManager insecurely uses AES-CTR encryption with repeated nonce, allowing an adversary to decrypt.
Jan 12 2023, 6:25 PM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), SecTeam-Processed, Vuln-Misconfiguration, Anti-Harassment, CheckUser, Security, Security-Team
mmartorana added a comment to T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.9/1.38.4/1.39.1)

Jan 12 2023, 6:15 PM · user-sbassett, MediaWiki-Releasing, Security

Jan 10 2023

mmartorana updated the task description for T318974: Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1).
Jan 10 2023, 10:19 AM · user-sbassett, MediaWiki-Releasing, Security

Jan 5 2023

mmartorana closed T315250: Application Security Review Request : SearchVue extension as Resolved.
Jan 5 2023, 5:53 PM · SDAW-Search-Improvements (Milestone 2: QuickView MVP), Structured-Data-Backlog, secscrum, Security, Application Security Reviews
mmartorana added a comment to T316523: Application Security Review Request : swaggest/json-diff PHP library.

Hi @WMDE-leszek - I am going to post this security review within the next 3 weeks.

Jan 5 2023, 5:52 PM · Linked-Open-Data-Network-Program, Wikibase Product Platform, secscrum, Security, Application Security Reviews

Dec 22 2022

mmartorana moved T315250: Application Security Review Request : SearchVue extension from In Progress to Waiting on the secscrum board.

Security Review Summary - T315250 - 2022-12-22
Last commit reviewed: 58b7f7a

Dec 22 2022, 4:54 PM · SDAW-Search-Improvements (Milestone 2: QuickView MVP), Structured-Data-Backlog, secscrum, Security, Application Security Reviews

Dec 19 2022

mmartorana added a subtask for T322637: CVE-2022-47927: sqlite should not create DB file world-readable: Unknown Object (Task).
Dec 19 2022, 3:27 PM · MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), MW-1.39-notes, MW-1.38-notes, MW-1.35-notes, SecTeam-Processed, Vuln-Misconfiguration, MediaWiki-Installer, SQLite, Security, Security-Team
mmartorana added a comment to T322637: CVE-2022-47927: sqlite should not create DB file world-readable.

Since the risk for this issue is very low, we are not going to deploy it to WMF production at this moment.

Dec 19 2022, 3:25 PM · MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), MW-1.39-notes, MW-1.38-notes, MW-1.35-notes, SecTeam-Processed, Vuln-Misconfiguration, MediaWiki-Installer, SQLite, Security, Security-Team

Dec 9 2022

mmartorana added a comment to T315250: Application Security Review Request : SearchVue extension.

Hey @CBogen - I confirm what said from @sbassett; I will post my review within the next two weeks.

Dec 9 2022, 10:22 AM · SDAW-Search-Improvements (Milestone 2: QuickView MVP), Structured-Data-Backlog, secscrum, Security, Application Security Reviews

Dec 6 2022

mmartorana added a comment to T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis.

Hi @Lectrician1 - I wanted to point out that the Security-Team is not disapproving the change; we have just rated it as medium risk.

Dec 6 2022, 4:55 PM · GitLab (Infrastructure), Release-Engineering-Team, MediaWiki-extensions-Gadgets, Security-Team, Security

Dec 5 2022

mmartorana added a comment to T314296: Security review of Phonos Extension.

Note that the flagged "Password Hash with Insufficient Computation Effort" issue is a false positive; in this case, the SHA1 hash is being used as a hash rather than as a password, so there are no security ramifications.

Dec 5 2022, 12:50 PM · Community-Tech (CommTech-Sprint-37), secscrum, Application Security Reviews, Security, MediaWiki-extensions-Phonos
mmartorana moved T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis from Incoming to Our Part Is Done on the Security-Team board.

Hi - The Security-Team has reviewed this proposed feature, and our feedback is that even though we agree in using Gitlab as a central repository for userscripts and gadgets would be a good idea, we don't suggest to achieve this by removing the nosniff option, as we would be exposed to several kinds of attacks such as: MIME confusion attacks and unauthorized hotlinking. The risk of doing this would be medium.

Dec 5 2022, 11:50 AM · GitLab (Infrastructure), Release-Engineering-Team, MediaWiki-extensions-Gadgets, Security-Team, Security

Nov 28 2022

mmartorana changed the status of T323592: CVE-2023-22910: XSS in Wikibase date formatting from Open to In Progress.
Nov 28 2022, 5:26 PM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), SecTeam-Processed, Wikidata Dev Team (Sprint-∞), Vuln-XSS, Wikidata, Security, Security-Team

Nov 24 2022

mmartorana moved T314296: Security review of Phonos Extension from In Progress to Waiting on the secscrum board.
Nov 24 2022, 4:35 PM · Community-Tech (CommTech-Sprint-37), secscrum, Application Security Reviews, Security, MediaWiki-extensions-Phonos
mmartorana added a comment to T314296: Security review of Phonos Extension.

Security Review Summary - T314296 - 2022-11-24
Last commit reviewed: 14ac4b6

Nov 24 2022, 4:33 PM · Community-Tech (CommTech-Sprint-37), secscrum, Application Security Reviews, Security, MediaWiki-extensions-Phonos

Nov 21 2022

mmartorana changed the status of T322637: CVE-2022-47927: sqlite should not create DB file world-readable from Open to In Progress.
Nov 21 2022, 3:03 PM · MW-1.40-notes (1.40.0-wmf.17; 2023-01-02), MW-1.39-notes, MW-1.38-notes, MW-1.35-notes, SecTeam-Processed, Vuln-Misconfiguration, MediaWiki-Installer, SQLite, Security, Security-Team

Nov 14 2022

mmartorana changed the status of T317595: Investigate: Can we load the Create account / Login forms in a modal from an article page? from Open to In Progress.
Nov 14 2022, 12:34 PM · SecTeam-Processed, Performance-Team (Radar), IPBee (IP-Blocked Editor Experience)
mmartorana changed the status of T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis from Open to In Progress.
Nov 14 2022, 12:26 PM · GitLab (Infrastructure), Release-Engineering-Team, MediaWiki-extensions-Gadgets, Security-Team, Security
mmartorana triaged T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis as Low priority.
Nov 14 2022, 12:25 PM · GitLab (Infrastructure), Release-Engineering-Team, MediaWiki-extensions-Gadgets, Security-Team, Security

Oct 18 2022

mmartorana closed T308495: Application Security Review Request : Pinia as Resolved.

Hi @AnneT - Thanks for investigating these issues. The review came in as low risk, so I am just going to resolve this ticket for the moment.

Oct 18 2022, 5:57 PM · secscrum, Security, Application Security Reviews

Oct 13 2022

mmartorana edited projects for T240870: Audit the WMF LDAP group and limit its permissions, added: SecTeam-Processed; removed Security-Team.

Do we need a over-all wmf group at all? Would a group per service be better for a granularized access point of view and annual access auditing?

Oct 13 2022, 4:30 PM · Infrastructure-Foundations, SecTeam-Processed, LDAP
mmartorana edited projects for T88044: Make rollback use POST instead of GET (use AJAX in GUI), added: SecTeam-Processed; removed Security-Team.

Hi @Dreamy_Jazz - We appreciate the mention, but unfortunately we do not plan to work on this issue anytime soon.

Oct 13 2022, 3:59 PM · SecTeam-Processed, Vuln-Misconfiguration, MediaWiki-Page-history, Performance-Team (Radar), User-notice, MediaWiki-Page-diffs

Oct 11 2022

mmartorana added a comment to T308495: Application Security Review Request : Pinia.

Hi @AnneT - even though my review has an overall risk of low, do you have any plans for addressing those issues?

Oct 11 2022, 9:42 AM · secscrum, Security, Application Security Reviews

Oct 10 2022

mmartorana added a project to T88044: Make rollback use POST instead of GET (use AJAX in GUI): Vuln-Misconfiguration.
Oct 10 2022, 3:03 PM · SecTeam-Processed, Vuln-Misconfiguration, MediaWiki-Page-history, Performance-Team (Radar), User-notice, MediaWiki-Page-diffs

Oct 6 2022

mmartorana updated the task description for T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).
Oct 6 2022, 5:46 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).
Oct 6 2022, 5:37 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana added a comment to T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.8/1.37.5/1.38.3)

Oct 6 2022, 5:00 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).
Oct 6 2022, 4:41 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).
Oct 6 2022, 4:39 PM · user-sbassett, MediaWiki-Releasing, Security
mmartorana updated the task description for T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).
Oct 6 2022, 4:37 PM · user-sbassett, MediaWiki-Releasing, Security

Oct 5 2022

mmartorana closed T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension as Resolved.
Oct 5 2022, 10:03 AM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), Platform Engineering, Vuln-Infoleak, CheckUser, Security, Security-Team
mmartorana changed the visibility for T308861: CVE-2022-39191: OAuth debug log includes consumer secrets.
Oct 5 2022, 10:02 AM · MW-1.40-notes (1.40.0-wmf.5; 2022-10-10), Patch-For-Review, user-sbassett, SecTeam-Processed, Vuln-Infoleak, MediaWiki-extensions-OAuth, Security, Security-Team
mmartorana closed T308861: CVE-2022-39191: OAuth debug log includes consumer secrets as Resolved.
Oct 5 2022, 10:01 AM · MW-1.40-notes (1.40.0-wmf.5; 2022-10-10), Patch-For-Review, user-sbassett, SecTeam-Processed, Vuln-Infoleak, MediaWiki-extensions-OAuth, Security, Security-Team

Oct 4 2022

mmartorana added a comment to T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).

+ (T308861, CVE-2022-39191) - OAuth debug log includes consumer secrets
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/817860

Oct 4 2022, 3:27 PM · user-sbassett, MediaWiki-Releasing, Security

Sep 26 2022

mmartorana moved T308495: Application Security Review Request : Pinia from In Progress to Waiting on the secscrum board.
Sep 26 2022, 4:03 PM · secscrum, Security, Application Security Reviews
mmartorana added a comment to T308495: Application Security Review Request : Pinia.

Security Review Summary - T308495 - 2022-09-26

Sep 26 2022, 4:03 PM · secscrum, Security, Application Security Reviews

Sep 20 2022

mmartorana added a comment to T316414: CVE-2022-39193: Special:Investigate can expose supressed information in check results.

Hi Anti-Harassment team, do you have any interest in working on the porting of this patch?

Sep 20 2022, 2:44 PM · MW-1.40-notes (1.40.0-wmf.19; 2023-01-16), SecTeam-Processed, Vuln-Infoleak, CheckUser, Anti-Harassment, Security, Security-Team

Sep 15 2022

mmartorana moved T312820: CVE-2022-41346: Special:OAuth/rest_redirect does unrestricted redirects from Incoming to Security Patch To Deploy on the Security-Team board.

Hi @Tgr - thank you for your patch.

Sep 15 2022, 5:04 PM · MediaWiki-extensions-OAuth, Vuln-OpenRedirect, Security, Security-Team