On Thu, Mar 17, 2016 at 5:27 AM, John wrote:
> Be aware that using any other page than Speical:UserLogin to login can
> cause account compromises or session hijacking.
>
To clarify, any administrator on your site will be able to add javascript
that could read your
Hi Jasmine,
There are a lot of things that can go wrong. Are you saying the global
account exists, but the user can't login to a wiki where they aren't
attached (and would then be autocreated)? If so, make sure there isn't an
existing, unattached account with the same name, which would prevent
I use that configuration, and it works ok. I'm running almost master.
Make sure you have enough free cache that nothing is being evicted.
On Tue, Nov 3, 2015 at 12:47 PM, Tim Dunphy wrote:
> Hey guys,
>
> I notice that there's no way to log into my wiki if I have these
I've seen similar issues when memcached is getting close to its max
capacity. Make sure stuff isn't getting evicted frequently.
You can also lookup the memcache key generation in the User class and look
up the key directly, but I don't recall there being a good way to check it
otherwise.
On Oct
gt;
You should add them.
MediaWiki will set X-Frame-Options: DENY by default on API results and edit
pages, but if you have a login box on every page, then you'll need to set
that from your webserver for every page (or you could add a patch to
mediawiki to do it).
>
> Ad
>
>
> Op 30 sep.
esen.name/]
>
> On 2015-09-30 9:33 AM, Tyler Romeo wrote:
> > Is there a bug filed for that?
> > On Sep 30, 2015 12:13, "Daniel Friesen" <dan...@nadir-seen-fire.com>
> wrote:
> >
> >> On 2015-09-30 8:48 AM, Chris Steipp wrote:
> >>>
Hi Ad,
There are some security considerations if you're going to do that:
* We disable site and user .js on Special:UserLogin, so a malicious admin
can't add password sniffing javascript to the login page
* We disable framing the page to prevent various redressing attacks
* If your site is mixed
With core mediawiki, not really. There is a user_touched timestamp on the
user table which is updated when the user logs in or does various other
things on the site.
There is also the account audit extension which the WMF used to use to
track login timestamp. That sounds like what you want.
On
/index.php/mediawiki-bridge
or
http://www.bestofjoomla.com/component/option,com_mtree/task,viewlink/link_id,1046/Itemid,46/
I haven't personally used either of those, but possibly someone else on the
list has?
On Mon, Jul 27, 2015 at 2:30 PM, Chris Steipp cste...@wikimedia.org
wrote:
You
You can have both authenticate to the same ldap instance to have
synchronized logins. Or synchronize the password hashes and extend
MediaWiki's password class to use the Joomla format.
But if you want true SSO, you'll need to have Joomla provide identities or
setup Joomla to consume MediaWiki's
Hello everyone,
The ConfirmEdit extension in the 1.25.0 tarball contained a syntax error in
two JSON files. We deeply apologize for this error, and thanks to Paul
Villiger for reporting the issue. A new 1.25.1 tarball has been released
which fixes the issue. Users using git can update to the
Extension:OAuthAuthentication? There are directions they're for enwiki, but
loginwiki would be just a slight variation. If you run into issues, let me
know.
On Apr 4, 2015 12:18 PM, Ivan Shmakov i...@siamics.net wrote:
I see that there exists at least one extension [1] to
I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and
1.19.24. These releases fix 10 security issues, in addition to other bug
fixes. Download links are given at the end of this email.
== Security fixes ==
* iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
This is a notice that on Tuesday, March 31st between 21:00-22:00 UTC (2-3pm
PDT) Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. Downloads and patches will be
available at that time.
___
That's the xml namespace of an element, which we whitelist since a number
of namespaces introduce way to execute javascript.
You can add it to the list in UploadBase.php, and feel free to push the
change back up and I'll add it if it looks sane.
On Thu, Mar 26, 2015 at 11:29 AM, Bill Traynor
On Tue, Jan 27, 2015 at 5:26 PM, Chris Tharp tharpena...@gmail.com wrote:
I agree completely with Boris about access control. Only with a combination
of Two extensions: Lockdown and SemanticACL have I ever been able to get to a
reasonable level of access control that I desired for my wikis.
I haven't run SLES in a few years, but your issue might be apparmor
preventing writes in the web root. Is youre webserver listed when you
run aa-status?
On Tue, Nov 11, 2014 at 5:52 AM, Katharina Wolkwitz wolkw...@fh-swf.de wrote:
Hello everybody,
I'm running my mediawiki-installation in a
On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott
datzr...@alizeepathology.com wrote:
This seems completely reasonable to me. I'd merge is personally. Is there
any reason not to?
It's fairly easy to inject javascript via css, so merging that patch
means an admin can run javascript on the
On Fri, Oct 24, 2014 at 1:34 PM, Arcane 21 arc...@live.com wrote:
Spammers might be using something similar to the IPfuck Firefox/Chrome
extension, which fakes an IP address instead of allowing the real IP to be
recorded, not sure how we can defend against that sort of thing at present.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
A number of security issues in MediaWiki extensions have been fixed.
Users of these extensions should update to the latest version.
* CentralAuth: Internal review found multiple issues that have been resolved:
** (bug 70469) Special:MergeAccount
It could be the user object in your cache. Try eval.php to do something like:
$u = User::newFromName( 'someuser' );
$u-setPassword( 'somepass' );
$u-saveSettings();
On Wed, Sep 24, 2014 at 11:23 PM, Tongjie Li snow8...@gmail.com wrote:
hi,all
I have a question of how to reset
I don't know of an extension that does OAuth logins as a client, that
would be compatible with Linkedin. I think there is an extension for
Google login, which should be based on OAuth2/OIDC, which would
probably work.
Extension:OAuth is for running an OAuth 1.0a server, which would allow
other
On Mon, Aug 18, 2014 at 6:29 AM, Ad Strack van Schijndel
ad.strackvanschijn...@gmail.com wrote:
What security aspects are you referring to?
OAuth itself is only meant for authorization, so if you make a call to
find out information about the current user (it looks like linkedin
encourages using
You should be able to temporarily set $wgDisableUploadScriptChecks to false.
On Mon, Jul 21, 2014 at 5:27 AM, David Gerard dger...@gmail.com wrote:
By default, MediaWiki sensibly blocks upload of SVGs with links.
However, we'd like to upload some to our intranet wiki (1.19). Is
there a
On Mon, Jun 16, 2014 at 9:08 AM, Daniel Barrett d...@vistaprint.com wrote:
In the past few weeks, we've been seeing the Loss of session data error
message in our wiki frequently when users try to save their edited articles
(and the save fails). Our best guess is that memcached, which stores
Legoktm's global css/js is a step towards this (I can't remember why
that isn't deployed yet). Loginwiki is probably the wrong place to
store global preferences, but you're right it sets precedent for
having a centralized wiki managing an aspect of the user's session.
The big SUL finalization
You would get that error if libxml can't parse the xml in the svg file.
Either you have a corrupted file, or the file had invalid xml and was
uploaded before we actually checked that the whole file was parsed.
On Wed, May 28, 2014 at 7:43 AM, Bill Traynor btray...@gmail.com wrote:
I'm trying
On Wed, Apr 30, 2014 at 11:52 AM, Glen glen...@gmail.com wrote:
Hi,
I want to log a user into our wiki if they are logged into our website.
I assume that I need to use the UserLoadFromSession hook, but at this
point in the code, the MW session is already active. Does it make sense to
close
Yeah, that was an accident that they were deleted. It's easy to regenerate
them from the repo, I just haven't gotten around to it. If anyone wants to
help, I'm happy to review and upload.
On Mar 2, 2014 12:37 PM, K. Peachey p858sn...@gmail.com wrote:
There is a open bug about their missing state
Hi Nemo,
I don't want to make any promises for Mark and Markus, but I believe there
are plans to do another release soon to close more of the bugfixes. I asked
them to hold off on combining too many bug fixes with the last security
release, since I wanted to make it easy for everyone to apply the
Hi lists,
If you haven't patched with the last security release, or know of a wiki
that hasn't patched yet, please do so immediately. An exploit was released
on the full disclosure mailing list over the weekend[1] that targets the
vulnerability in the PdfHandler extension.
If you're not able to
I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and
1.19.11.
Your MediaWiki installation is affected by a remote code execution
vulnerability if you have enabled file upload support for DjVu (natively
supported by MediaWiki) or PDF files (in combination with the PdfHandler
This is a notice that on Tuesday, Jan 28th between 21:00-22:00 UTC (1-2pm
PST) Wikimedia Foundation will release critical security updates for
current and supported branches of the MediaWiki software and extensions.
Downloads and patches will be available at that time, with the git
repositories
On Jan 22, 2014 7:29 AM, Al alj62...@yahoo.com wrote:
Hi,
I have SSL setup and working with apache and can browse the site with
http or https, but does anyone know how to make mediaWiki switch to https
when logging on? Or, at the very least, switch temporarily just for the
login?
If you can
On Sat, Jan 11, 2014 at 2:05 AM, Till Kraemer i...@till-kraemer.com wrote:
# Activates the redirect to the central login wiki
#$wgCentralAuthLoginWiki = 'poolwiki';
Things will work a little better if you have a central wiki defined. Since
you have a poolwiki, you may want to make that
On Mon, Jan 13, 2014 at 11:52 AM, Till Kraemer i...@till-kraemer.comwrote:
Hi Chris,
thanks a lot for your help!
Things will work a little better if you have a central wiki defined.
Since
you have a poolwiki, you may want to make that central. Users should
never
know it's there, but
I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and
1.19.10.
These releases fix a number of security related bugs that could affect
users of
MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes
several bugs. You can consult the RELEASE-NOTES-1.22 file for
This is a notice that on Tuesday, January 14th between 00:00-01:00 UTC
(*Monday* January 13th, 4-5pm PST) Wikimedia Foundation will release
security updates for current and supported branches of the MediaWiki
software, as well as several extensions. Downloads and patches will be
available at that
On Dec 12, 2013 8:05 AM, John phoenixoverr...@gmail.com wrote:
An even easier solution would be to get a javascript gadget that grabs the
current page title and saves it along with on a log page
If you need something simple, do this. It should honestly be about 10 lines
of JavaScript.
If
That's odd. I don't think it's intentional that those are missing.
Here's the core patch for 1.19.7-1.19.8 in the meantime.
On Wed, Nov 20, 2013 at 3:37 AM, David Gerard dger...@gmail.com wrote:
I thought I should probably upgrade our intranet wikis from 1.19.7 to
1.19.9.
I go to
Seems mediawiki-l strips them. I blame marktraceur.
http://pastebin.com/cifbq6w1
On Wed, Nov 20, 2013 at 11:06 AM, David Gerard dger...@gmail.com wrote:
On 20 November 2013 18:52, Chris Steipp cste...@wikimedia.org wrote:
That's odd. I don't think it's intentional that those are missing
I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and
1.19.9. These releases fix 2 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for
Hi Killian,
Our build scripts packaged the wrong extension branch with the initial
tarballs I released. If you redownload them, you should get the correct
version of Vector.
Apologies for that.
On Thu, Nov 14, 2013 at 4:16 PM, Kilian Evang maschinenr...@texttheater.net
wrote:
Hi all,
the
On Wed, Nov 13, 2013 at 1:59 AM, Nathan Larson
nathanlarson3...@gmail.comwrote:
You're right; if more wikis were to switch off nofollow, it almost
certainly would encourage spammers to target MediaWiki more. That in turn
would likely tend to prompt affected site owners to install more/better
This is a notice that on Thursday, November 14th between 21:00-22:00 UTC
(1-2pm PST) Wikimedia Foundation will release security updates for current
and supported branches of the MediaWiki software, as well as several
extensions. Downloads and patches will be available at that time.
I'm opposed to this change. A site administrator with a big enough
community to address spammy links, and wants to enable this feature, is
likely savvy enough to change the preference from true to false.
I think setting this to false by default is going to encourage spam bot
authors to target
I'm not sure if I fully recommend it, but I've gotten around this by adding
a conditional in my LocalSettings.php to set $wgServer to the ip
if $_SERVER[REMOTE_ADDR] looks like my local network. Probably safe
enough for temporary access.
$wgServer is used to construct urls, like the css links, so
If you're using centos 6, definitely try *temporarily* disabling selinux
make sure your policy isn't preventing access.
On Nov 3, 2013 11:29 AM, Tony Robinson deusexmachina...@gmail.com wrote:
Hello,
I'm trying to install MediaWiki on CentOS with php-fpm, memcached, and
nginx over SSL. If
It accepts a pretty wide range of formats (see IP::parseRange()). So,
ip_in_range(user_name, '127.0.0.1/16')
ip_in_range(user_name, '127.0.0.1')
ip_in_range(user_name, '127.0.0.0-127.0.255.255')
Will all trigger for a localhost editor.
On Wed, Oct 23, 2013 at 3:32 AM, Al alj62...@yahoo.com
There is a fallback to local wiki authentication, if your LDAP config
doesn't prevent it. Iirc by default the LDAP extension does disable it
however.
For a quick fix, you can disable the extension (comment it the include in
you LocalSettings.php), then login with any account in you database that
The default is md5( $salt - md5( $password ) ). So salt and 2 hashes.
On Thu, Oct 3, 2013 at 3:15 PM, Wjhonson wjhon...@aol.com wrote:
Does the Mediawiki software using a simple hashing on the passwords?
Or are they also salted?
___
MediaWiki-l
Hi Ken, I've run MediaWiki on RHEL 5 and 6 several times. You shouldn't
have any issues with it (although watch out for selinux blocking writes to
the default upload directory). Can you describe what problems you're
having? Are you unzipping the tarball into the web root, or are you using
the epel
I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an
Oh, and if that's not it, make sure you have the image directory setup to
point to the right place (which it should by default), and make sure any
mandatory access control (apparmor/selinux) is configured to allow access
too.
On Jun 18, 2013 7:54 AM, Alex Monk kren...@gmail.com wrote:
It sounds
On Tue, May 28, 2013 at 9:14 AM, Jamie Thingelstad
ja...@thingelstad.com wrote:
I can — Nemo was referencing some dialog we had while I was trying to figure
out performance issues on my farm.
You can see the whole dialog, with graphs, here:
Hi Zeng,
If the external site is just another web application on a different
domain, then this is probably not possible. At least, not possible to
do in a secure way.
If they share a domain, and mediawiki can read (and verify, and use)
the other website's cookies, then you could write your own
On Fri, May 24, 2013 at 6:09 PM, Daniel Friesen
dan...@nadir-seen-fire.com wrote:
On Fri, 24 May 2013 13:41:04 -0700, Al Johnson alj62...@yahoo.com wrote:
Maybe mediawiki sites can unite to keep a global list of these IP's and
block them as soon as they are submitted. Each mediawiki site can
On Sat, May 25, 2013 at 2:56 AM, Mark A. Hershberger m...@everybody.org wrote:
I run a spam/virus filtering email relay for some clients and I agree
with most of what Richard says:
Everything that's being discussed has already been done to combat
email spam. It seems the appropriate thing to
On Wed, May 22, 2013 at 10:07 AM, halz halz_antis...@yahoo.co.uk wrote:
If you've ever set up a fresh MediaWiki and tried to leave it open to
editing, you'll know about the problem of wiki spam. There's various well
documented tricks to tackle the problem on your own wiki (although it seems
I would like to announce the release of MediaWiki 1.20.6 and 1.19.7.
These releases fix a security related issue that could affect users of
MediaWiki. Download links are given at the end of this email.
* MediaWiki user Marco discovered that security checks for file
uploads were not being run when
This is a notice that on Tuesday, May 21st between 20:00-21:00 UTC
(1-2pm PDT) Wikimedia Foundation will release security updates for
current and supported branches of the MediaWiki software. Downloads
and patches will be available at that time, with the git repositories
updated later that
On Wed, May 8, 2013 at 10:14 AM, George Tsirigotakis
tsirigotakis.geo...@gmail.com wrote:
Hey Chad,
Thank you for replying!
I'm new at this, so I'd like to ask you another couple of questions:
1. How can I write an AuthPlugin? Is there a tutorial?
http://www.mediawiki.org/wiki/AuthPlugin is
I would like to announce the release of MediaWiki 1.20.5 and 1.19.6.
These releases fix 2 security related issues that could affect users
of MediaWiki. Download links are given at the end of this email.
* Jan Schejbal / Hatforce.com reported that SVG script filtering could
be bypassed for Chrome
This is a notice that on Tuesday, April 30th between 20:00-21:00 UTC
(1-2pm PDT) Wikimedia Foundation will release security updates for
current and supported branches of the MediaWiki software. Downloads
and patches will be available at that time, with the git repositories
updated later that
I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.
* An internal review discovered that specially crafted Lua function
names could lead to XSS.
On Sat, Mar 30, 2013 at 11:16 AM, Mark A. Hershberger m...@everybody.org
wrote:
On 03/30/2013 12:47 PM, Dan Fisher wrote:
Is it a problem? Yes, they're constantly trying to break in and that
increases CPU usage. I dont have any analysis to prove it
I suggest that you rely on some proof.
SPF can help, and is easy to setup.
If you are already blocked by an individual provider (google in this case),
then you usually have to contact them directly and let them know what
you've done to make sure your domain isn't going to spam again. Also check
and make sure your domain isn't on any
On Thu, Feb 21, 2013 at 7:22 AM, Mark A. Hershberger m...@everybody.org wrote:
On 02/20/2013 09:55 PM, Al Johnson wrote:
Can anyone recommend a spam filter whereby one can specify a filter
pattern along with the specific page to which the filter applies
AND can be accessed and modified via the
I can help with
something organizational).
Any more details from the people who made the request would be nice--
like is this for an extension with a special page vs parser functions?
Mariya
On Mon, Jan 28, 2013 at 8:15 PM, Chris Steipp cste...@wikimedia.org wrote:
Maria, I found your list
Maria, I found your list to be very helpful. Thanks for putting that together!
On Mon, Jan 28, 2013 at 8:26 AM, Yury Katkov katkov.ju...@gmail.com wrote:
Hi Maria! Let me clarify the situation about access control. There are
several dozens of ways (!) to get the information of a wiki page - and
Hi Thomas, you can do that with AbuseFilter, and a rule that has the conditions:
!autoconfirmed in user_groups
length(added_links) 0
And in the action section, select Prevent the user from performing
the action in question
On Fri, Dec 21, 2012 at 1:46 PM, Thomas U. Grüttmüller
MediaWiki security release: 1.20.1, 1.19.3 and 1.18.6
I would like to announce the release of MediaWiki 1.20.1, 1.19.3 and
1.18.6. These releases fix 3 security related bugs that could affect
users of MediaWiki. Download links are given at the end of this email
. Please note that support for the
On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST)
Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. We are providing this
pre-announcement as a courtesy for administrators to be ready to
accept the fix for these on
I was thinking it sounded like a chroot or mandatory access control
issue. If you work out the transition rules for SELinux, please share!
I've been working on getting AppArmor profiles defined for several of
the external applications we call. I'll add one for clamav, in case
that's an option for
It's possible, but it would be a little ugly. You could write a web
frontend to what would basically be a proxy handling the work on the
backend over the api. However, there is no secure way for a user to
login through something like that, so all of the edits would have to
come from your app and
A fairly detailed (if not super easy to use) place to start is
http://www.mediawiki.org/wiki/Anti-spam_features, which points to
various extensions that can help out.
For a popular site, you'll need a holistic strategy for dealing with
spam, which will include a few different tools, possibly
I would like to announce the release of MediaWiki 1.19.2 and 1.18.5.
These releases fix 6 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.
* Wikipedia administrator Writ Keeper discovered a stored XSS (HTML
injection) vulnerability.
77 matches
Mail list logo