[Wikitech-l] [x-post] Wikimedia Language team office hour and online meeting on March 21, 2018 (Wednesday) at 1300 UTC

[Runa Bhattacharjee]

[x-posted announcement]

Hello,

Wikimedia Foundation’s Language team would like to invite you for an online
office hour session scheduled for Wednesday, March 21st, 2018 at 13:00 UTC.
This will be an open session to talk about our work, and in particular the
changes to interlanguage links, which were recently rolled-out on the
English Wikipedia.

The new option shows a list of up to 9 languages instead of a long list
that can have more than 200 items, and a panel with all the links that can
be looked up in any language using a search box. The purpose of this
feature is to make articles in all languages easier to find. We recently
published a blog post about this feature and the thoughts behind the
development:

https://blog.wikimedia.org/2018/03/08/compact-language-links-launch.

This session is going to be an online discussion over Google
Hangouts/Youtube with a simultaneous IRC conversation. Due to the
limitation of Google Hangouts, only a limited number of participation slots
are available. Hence, do please let us know in advance if you would like to
join in the Hangout. The IRC channel will be open for interactions during
the session.

Please read below for the event details, including local time, youtube
session links and do let us know if you have any questions.

Thank you
Runa

== Details ==

# Event: Wikimedia Foundation Language office hour session

# When: March 21st, 2018 (Wednesday) at 13:00 UTC (check local time
http://www.timeanddate.com/worldclock/fixedtime.html?iso=20180321T1300)

# Where: and on IRC #wikimedia-office (Freenode) and
https://www.youtube.com/watch?v=RmZcL6zVcTA


# Agenda:
Discussion about Compact Language Links, and Q & A.


-- 
Engineering Manager, Language (Contributors)
Wikimedia Foundation
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[MZMcBride]

David Gerard wrote:
>What ways are there to include user-edited JavaScript in a wiki page?
>
>[...]
>
>You can't see it now, but it was someone including a JavaScript
>cryptocurrency miner in common.js!
>
>Obviously this is not going to be a common thing, and common.js is
>closely watched. (The above edit was reverted in 7 minutes, and the
>user banned.)
>
>But what are the ways to get user-edited JavaScript running on a
>MediaWiki, outside one's own personal usage? And what permissions are
>needed? I ask with threats like this in mind.

There's an old post of mine that documents some of the ways to inject
site-wide JavaScript:


I believe, as Brian notes in this thread, that most methods require having
the "editinterface" user right so that you can edit wiki pages in the
"MediaWiki" namespace. By default, this user right is assigned to the
"sysop" user group, but if you search through
 for the string
"editinterface", you can see that on specific wikis such as fawiki, this
user right has been assigned to additional user groups.

Jon Robson wrote:
>It has always made me a little uneasy that there are wiki pages where
>JavaScript could potentially be injected into my page without my approval.
>To be honest if I had the option I would disable all site and user scripts
>for my account.

You could file a Phabricator task about this. We already specifically
exempt certain pages, such as Special:UserLogin and Special:Preferences,
from injecting custom JavaScript. We could potentially add a user
preference to do what you're suggesting.

That said, you're currently executing thousands upon thousands of lines of
code on your computer that you've never read or verified. If you're a
standard computer user, you visit hundreds of Web sites per year that each
execute thousands of lines of untrusted scripts that you've never read or
verified. Of all the places you're likely to run into trouble, Wikimedia
wikis are, in many ways, some of the safest. Given all of this code, your
computer, as well as mine, are vulnerable to dozens of very real attacks
at any time. And yet we soldier on without too much panic or worry.

>Has this sort of thing happened before?

Salon.com recently prompted users with ad blocking software installed to
voluntarily mine cryptocurrency: .
This situation on fa.wikipedia.org was obviously involuntary. I don't know
of any similar incidents. We have had wiki administrators inadvertently
inject scripts with privacy issues, such as Google Analytics. These
scripts have generally been promptly removed when noticed. On the other
hand, pages such as  have been loading the
same problematic scripts (Google Analytics and JavaScript from
ajax.googleapis.com) for years and nobody seems to have cared enough yet.

>Can we be sure there isn't a gadget, interface page that has this sort of
>code lurking inside? Do we have any detection measures in place?

A much surer bet is that at least some gadgets and other site-wide
JavaScript have privacy issues and potentially security issues. It would
be shocking if, across the hundreds of Wikimedia wikis, none of them did.

I think in the past Timo and maybe Alex Monk have done some surveying of
public Wikimedia wikis using a browser or browser emulator to check if
there are network requests being made to non-Wikimedia domains. As Lucas
noted in this thread already, there are also tasks such as
 that could be worked on, if
there's sufficient interest.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] PHP profiling - Now covering covering multiversion and wmf-config

[Krinkle]

Hi all,

TL;DR: When using X-Wikimedia-Debug to profile web requests on Wikimedia
wikis, the generated profile information will now include details from
"w/index.php", and MWMultiVersion, and things like
wmf-config/CommonSettings.php. Details at
https://phabricator.wikimedia.org/T180183.

-

The debug profiler provided on Wikimedia production wikis[1] previously
could not cover the code that executes before MediaWiki core instantiates
ProfilerXhprof, which was in charge of calling `xhprof_enable`. This
normally happens within core's Setup.php.

While that point in Setup.php is before any important MediaWiki core logic,
it misses out on two other chunks of code:

1. Initialisation of MediaWiki core – This includes entry point code (eg.
index.php, PHPVersionCheck), but also the first steps of Setup before
Profiler. Such as AutoLoader, vendor, and LocalSettings.php. At WMF,
LocalSettings.php loads wmf-config/InitialiseSettings.php and
wmf-config/CommonSettings.php.

2. Wrapping of MediaWiki entrypoint – At Wikimedia, the index.php
entrypoint is itself further wrapped in something called "multiversion".
Multiversion is what determines the wiki ID (eg. "enwiki") and MediaWiki
branch (eg. "1.31.0-wmf.25") associated with the current domain (eg. "
en.wikipedia.org").

Over the past weeks, I've been refactoring MediaWiki core, wmf-config and
Wikimedia's HHVM settings to make we can instrument the above code as part
of our performance profiles.

This change happened in three phases:

## 1. Update wmf-config/StartProfiler to.. actually start the profiler!

The file name is somewhat deceptive because traditionally this is (and can)
only be used to *configure* the profiler, by assigning $wgProfiler. It
makes sense that we cannot instantiate the Profiler subclass from this
file, because the classes and run-time configuration are not and cannot be
available this early.

However, we don't the Profiler class to record data. The Profiler classes
typically obtain their data from native PHP. The one used at WMF is XHProf.
Previously, we would assign $wgProfiler['class'] = 'ProfilerXhprof', and
then later MediaWiki core instantiates ProfilerXhprof, which then calls
xhprof_enable. We now xhprof_enable directly from StartProfiler.php.

This change enabled coverage of code in Setup.php between 'include
StartProfiler' and 'Profiler::instance()'. – Mainly: vendor, LocalSettings,
wmf-config.

## 2. Update MediaWiki core to include StartProfiler earlier.

It is now the first thing included by Setup.php.

This change enabled coverage of code in Setup.php that previously was
before 'include StartProfiler'. – Namely: AutoLoader.php, Defines.php.

## 3. Configure WMF's PHP engine to use auto_prepend_file

This is the big one, and requires a PHP ini setting change. Third parties
can follow the same pattern
in order to get the same benefits:
*  Put `xhprof_enable( $flags )`, along with any sampling/conditional
logic, in a separate file.
* Use it from two places:
** In StartProfiler.php, include using require_once.
** In php.ini, set auto_prepend_file=path/to/profiler.php.

This change enabled coverage of all remaining code. – Namely: multiversion,
w/index.php and things like PHPVersionCheck.

## Example

Using cURL:

$ curl -H 'X-Wikimedia-Debug: 1' 'https://en.wikipedia.beta.
wmflabs.org/w/load.php?debug=false=startup=
scripts=1'

Output now includes:
- main() # resembles the wrapper at
operations/mediawiki-config.git:/w/load.php
-- run_init::/srv/mediawiki/multiversion/MWMultiVersion.php
-- MWMultiVersion::getMediaWiki
-- run_init:/srv/mediawiki/php-../load.php
-- run_init::/srv/mediawiki/php-../includes/Setup.php
-- run_init::/srv/mediawiki/php-../LocalSettings.php
-- run_init::/srv/mediawiki/wmf-config/CommonSettings.php
-- 
run_init::/srv/mediawiki/php-../extensions/Wikibase/client/WikibaseClient.php

Greetings,
-- Timo Tijhof

[0] https://phabricator.wikimedia.org/T180183
[1] https://wikitech.wikimedia.org/wiki/X-Wikimedia-Debug
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Persian Wikimedia cryptocurrency mining incident

[Amir Ladsgroup]

Translated and posted in Persian Wikipedia's WP:VP. [0]
Posting the translation here, in case it would be useful:

«در ۱۴ مارس ۲۰۱۸، اسنادی از استفاده از نرم‌افزار استخراج پول مجازی در
ویکی‌پدیای فارسی کشف شد. این کشف توسط جامعه کاربران اتفاق افتاد و در کمتر
از ده دقیقه بعد از اضافه شدن به وب‌گاه حذف گردید. علاوه بر آن، دسترسی‌های
کاربر مسئول حذف و حسابش سراسری بسته شد. تاکنون هیچ مدرکی دال بر به خطر
افتادن حساب یا رایانه کاربری وجود ندارد. اما ما همگان را به انجام
فعالیت‌های معمول برای داشتن رایانه و حساب امن توصیه می‌کنیم که شامل تغییر
مداوم گذرواژه‌تان، استفاده فعالانه از نرم‌افزارهای ضدویروس، و بروزنگه‌داشتن
سامانه‌تان است. تیم امنیت بنیاد ویکی‌مدیا در حال بررسی این اتفاق و بررسی
پتانسیل‌های بهبود برای جلوگیری از وقوع موارد مشابه در آینده است. اگر سوالی
داشتید لطفا با تیم امنیت (security-team[image: @]wikimedia.org <
http://wikimedia.org/>) تماس بگیرید. عذرخواهی برای فرستادن به انگلیسی،
ترجمه آن به فارسی مزید امتنان خواهد بود. تشکر، جان بنت.»

[0]
https://fa.wikipedia.org/w/index.php?oldid=22372929#%D8%A7%D8%AA%D9%81%D8%A7%D9%82_%D9%85%D8%B1%D8%A8%D9%88%D8%B7_%D8%A8%D9%87_%D8%A7%D8%B3%D8%AA%D8%AE%D8%B1%D8%A7%D8%AC_%D9%BE%D9%88%D9%84_%D9%85%D8%AC%D8%A7%D8%B2%DB%8C_%D8%AF%D8%B1_%D9%88%DB%8C%DA%A9%DB%8C%E2%80%8C%D9%BE%D8%AF%DB%8C%D8%A7%DB%8C_%D9%81%D8%A7%D8%B1%D8%B3%DB%8C

On Thu, Mar 15, 2018 at 12:29 AM John Bennett 
wrote:

> *On 14 March 2018, evidence of cryptocurrency mining software was
> discovered on Persian Wikipedia. It was identified by the community and
> removed within 10 minutes of being added to the site. Additionally, the
> rights of the user responsible have been revoked and their account has been
> globally locked. At this time there is no evidence of any user's computer
> or account being compromised or otherwise affected. However, we encourage
> everyone to take some routine steps to maintain a secure computer and
> account - including regularly changing your passwords, actively running
> antivirus software on your systems, and keeping your system software up to
> date. The Wikimedia Foundation's Security team is investigating this
> incident as well as potential improvements to prevent future incidents. If
> you have any questions, please contact the Security team
> (security-team{{@}}wikimedia.org ). Apologies for
> only posting in English, translating and reposting in Fārsi would be
> greatly appreciated.Thanks,John Bennett*
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Persian Wikimedia cryptocurrency mining incident

[Vi to]

How many external (non WMF-sites) js do we need?

Vito

2018-03-15 0:28 GMT+01:00 John Bennett :

> *On 14 March 2018, evidence of cryptocurrency mining software was
> discovered on Persian Wikipedia. It was identified by the community and
> removed within 10 minutes of being added to the site. Additionally, the
> rights of the user responsible have been revoked and their account has been
> globally locked. At this time there is no evidence of any user's computer
> or account being compromised or otherwise affected. However, we encourage
> everyone to take some routine steps to maintain a secure computer and
> account - including regularly changing your passwords, actively running
> antivirus software on your systems, and keeping your system software up to
> date. The Wikimedia Foundation's Security team is investigating this
> incident as well as potential improvements to prevent future incidents. If
> you have any questions, please contact the Security team
> (security-team{{@}}wikimedia.org ). Apologies for
> only posting in English, translating and reposting in Fārsi would be
> greatly appreciated.Thanks,John Bennett*
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Persian Wikimedia cryptocurrency mining incident

[John Bennett]

*On 14 March 2018, evidence of cryptocurrency mining software was
discovered on Persian Wikipedia. It was identified by the community and
removed within 10 minutes of being added to the site. Additionally, the
rights of the user responsible have been revoked and their account has been
globally locked. At this time there is no evidence of any user's computer
or account being compromised or otherwise affected. However, we encourage
everyone to take some routine steps to maintain a secure computer and
account - including regularly changing your passwords, actively running
antivirus software on your systems, and keeping your system software up to
date. The Wikimedia Foundation's Security team is investigating this
incident as well as potential improvements to prevent future incidents. If
you have any questions, please contact the Security team
(security-team{{@}}wikimedia.org ). Apologies for
only posting in English, translating and reposting in Fārsi would be
greatly appreciated.Thanks,John Bennett*
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Jon Robson]

It has always made me a little uneasy that there are wiki pages where
JavaScript could potentially be injected into my page without my approval.
To be honest if I had the option I would disable all site and user scripts
for my account.

Has this sort of thing happened before?

Can we be sure there isn't a gadget, interface page that has this sort of
code lurking inside? Do we have any detection measures in place?

Even if every edit to these pages is watched I suspect it would be very
easy for the same attack to be done in a more sophisticated way e.g.
disguising the code as a base64 image for example

On Wed, 14 Mar 2018 at 07:42 Brian Wolff  wrote:

> On Wednesday, March 14, 2018, David Gerard  wrote:
> > What ways are there to include user-edited JavaScript in a wiki page?
> >
> > I ask because someone put this revision in (which is now deleted):
> >
> >
>
> https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en
> >
> > You can't see it now, but it was someone including a JavaScript
> > cryptocurrency miner in common.js!
> >
> > Obviously this is not going to be a common thing, and common.js is
> > closely watched. (The above edit was reverted in 7 minutes, and the
> > user banned.)
> >
> > But what are the ways to get user-edited JavaScript running on a
> > MediaWiki, outside one's own personal usage? And what permissions are
> > needed? I ask with threats like this in mind.
> >
> >
> > - d.
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> You need editinterface, edituserjs, or some of the centralnotice related
> rights (or the steward related rights to give yourself these rights).
>
> Any method that does not involve editinterface or a related right that is
> normally restricted to administrator (or higher group) should be considered
> a serious security issue in mediawiki and reported immediately.
>
> --
> Brian Wolff
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Lucas Werkmeister]

A restrictive script-src in a Content-Security-Policy (RFC
,
T135963 ) could have helped with
this. Alternatively, a report-mode CSP could at least have brought this to
global operators’ attention, though I don’t know if they would’ve been
faster to react than the fawiki community’s seven minutes.

Cheers,
Lucas

2018-03-14 17:03 GMT+01:00 Amir Ladsgroup :

> That already happened and the user got blocked indefinitely immediately
> after the incident. The JS was there for seven minutes which bad enough
> IMO.
>
> One thing is that Persian Wikipedia community is working to strip the right
> of editing mediawiki ns from the templateeditor user group:
> https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9%
> 86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1%
> D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3%
> D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%
> B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8%
> AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88%
> DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8%
> A7%D9%84%DA%AF%D9%88
>
> Other things include protecting us from this type of js inside the
> mediawiki. That's going to be difficult.
>
> Best
>
> On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman <
> d.j.hartman+wmf...@gmail.com> wrote:
>
> > In my opinion, such accounts should be globally blocked btw. It is a
> > grave breach of trust and such accounts cannot be trusted anywhere
> > else either. Thanks for playing, but goodbye for ever.
> >
> > DJ
> >
> > On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff  wrote:
> > > On Wednesday, March 14, 2018, David Gerard  wrote:
> > >> What ways are there to include user-edited JavaScript in a wiki page?
> > >>
> > >> I ask because someone put this revision in (which is now deleted):
> > >>
> > >>
> > >
> > https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%
> DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next&
> oldid=22367460=en
> > >>
> > >> You can't see it now, but it was someone including a JavaScript
> > >> cryptocurrency miner in common.js!
> > >>
> > >> Obviously this is not going to be a common thing, and common.js is
> > >> closely watched. (The above edit was reverted in 7 minutes, and the
> > >> user banned.)
> > >>
> > >> But what are the ways to get user-edited JavaScript running on a
> > >> MediaWiki, outside one's own personal usage? And what permissions are
> > >> needed? I ask with threats like this in mind.
> > >>
> > >>
> > >> - d.
> > >>
> > >> ___
> > >> Wikitech-l mailing list
> > >> Wikitech-l@lists.wikimedia.org
> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > >
> > > You need editinterface, edituserjs, or some of the centralnotice
> related
> > > rights (or the steward related rights to give yourself these rights).
> > >
> > > Any method that does not involve editinterface or a related right that
> is
> > > normally restricted to administrator (or higher group) should be
> > considered
> > > a serious security issue in mediawiki and reported immediately.
> > >
> > > --
> > > Brian Wolff
> > > ___
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



-- 
Lucas Werkmeister
Software Developer (Intern)

Wikimedia Deutschland e. V. | Tempelhofer Ufer 23-24 | 10963 Berlin
Phone: +49 (0)30 219 158 26-0
https://wikimedia.de

Imagine a world, in which every single human being can freely share in the
sum of all knowledge. That‘s our commitment.

Wikimedia Deutschland - Gesellschaft zur Förderung Freien Wissens e. V.
Eingetragen im Vereinsregister des Amtsgerichts Berlin-Charlottenburg unter
der Nummer 23855 B. Als gemeinnützig anerkannt durch das Finanzamt für
Körperschaften I Berlin, Steuernummer 27/029/42207.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Amir Ladsgroup]

That already happened and the user got blocked indefinitely immediately
after the incident. The JS was there for seven minutes which bad enough IMO.

One thing is that Persian Wikipedia community is working to strip the right
of editing mediawiki ns from the templateeditor user group:
https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9%86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1%D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3%D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8%A7%D9%84%DA%AF%D9%88

Other things include protecting us from this type of js inside the
mediawiki. That's going to be difficult.

Best

On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman <
d.j.hartman+wmf...@gmail.com> wrote:

> In my opinion, such accounts should be globally blocked btw. It is a
> grave breach of trust and such accounts cannot be trusted anywhere
> else either. Thanks for playing, but goodbye for ever.
>
> DJ
>
> On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff  wrote:
> > On Wednesday, March 14, 2018, David Gerard  wrote:
> >> What ways are there to include user-edited JavaScript in a wiki page?
> >>
> >> I ask because someone put this revision in (which is now deleted):
> >>
> >>
> >
> https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en
> >>
> >> You can't see it now, but it was someone including a JavaScript
> >> cryptocurrency miner in common.js!
> >>
> >> Obviously this is not going to be a common thing, and common.js is
> >> closely watched. (The above edit was reverted in 7 minutes, and the
> >> user banned.)
> >>
> >> But what are the ways to get user-edited JavaScript running on a
> >> MediaWiki, outside one's own personal usage? And what permissions are
> >> needed? I ask with threats like this in mind.
> >>
> >>
> >> - d.
> >>
> >> ___
> >> Wikitech-l mailing list
> >> Wikitech-l@lists.wikimedia.org
> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> > You need editinterface, edituserjs, or some of the centralnotice related
> > rights (or the steward related rights to give yourself these rights).
> >
> > Any method that does not involve editinterface or a related right that is
> > normally restricted to administrator (or higher group) should be
> considered
> > a serious security issue in mediawiki and reported immediately.
> >
> > --
> > Brian Wolff
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Derk-Jan Hartman]

In my opinion, such accounts should be globally blocked btw. It is a
grave breach of trust and such accounts cannot be trusted anywhere
else either. Thanks for playing, but goodbye for ever.

DJ

On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff  wrote:
> On Wednesday, March 14, 2018, David Gerard  wrote:
>> What ways are there to include user-edited JavaScript in a wiki page?
>>
>> I ask because someone put this revision in (which is now deleted):
>>
>>
> https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en
>>
>> You can't see it now, but it was someone including a JavaScript
>> cryptocurrency miner in common.js!
>>
>> Obviously this is not going to be a common thing, and common.js is
>> closely watched. (The above edit was reverted in 7 minutes, and the
>> user banned.)
>>
>> But what are the ways to get user-edited JavaScript running on a
>> MediaWiki, outside one's own personal usage? And what permissions are
>> needed? I ask with threats like this in mind.
>>
>>
>> - d.
>>
>> ___
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> You need editinterface, edituserjs, or some of the centralnotice related
> rights (or the steward related rights to give yourself these rights).
>
> Any method that does not involve editinterface or a related right that is
> normally restricted to administrator (or higher group) should be considered
> a serious security issue in mediawiki and reported immediately.
>
> --
> Brian Wolff
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Brian Wolff]

On Wednesday, March 14, 2018, David Gerard  wrote:
> What ways are there to include user-edited JavaScript in a wiki page?
>
> I ask because someone put this revision in (which is now deleted):
>
>
https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en
>
> You can't see it now, but it was someone including a JavaScript
> cryptocurrency miner in common.js!
>
> Obviously this is not going to be a common thing, and common.js is
> closely watched. (The above edit was reverted in 7 minutes, and the
> user banned.)
>
> But what are the ways to get user-edited JavaScript running on a
> MediaWiki, outside one's own personal usage? And what permissions are
> needed? I ask with threats like this in mind.
>
>
> - d.
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

You need editinterface, edituserjs, or some of the centralnotice related
rights (or the steward related rights to give yourself these rights).

Any method that does not involve editinterface or a related right that is
normally restricted to administrator (or higher group) should be considered
a serious security issue in mediawiki and reported immediately.

--
Brian Wolff
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[Yongmin H.]

editinterface (usually only available to sysops on wmf wikis) is required to 
edit MediaWiki: namespace, which includes MediaWiki:(blah).css/js. And 
edituser(css/js) is required to edit other user’s CSS/JS files. In fawiki case, 
these permissions are available in template editor, so once he became one of 
template editor (I don’t know how strict fawiki rule is, so no comment on 
there) he was able to inject such evil thing (tm).

TL;DR:

1. editinterface to modify MediaWiki: namespace, which affects everyone.
2. edituserjs to touch other user’s js.
3. editusercss to touch other user’s css.

--
Yongmin
Sent from my iPhone
https://wp.revi.blog
Text licensed under CC BY ND 2.0 KR
Please note that this address is list-only address and any non-mailing list 
mails will be treated as spam.
Please use https://encrypt.to/0x947f156f16250de39788c3c35b625da5beff197a

2018. 3. 14. 22:25, David Gerard  작성:

> What ways are there to include user-edited JavaScript in a wiki page?
> 
> I ask because someone put this revision in (which is now deleted):
> 
> https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en
> 
> You can't see it now, but it was someone including a JavaScript
> cryptocurrency miner in common.js!
> 
> Obviously this is not going to be a common thing, and common.js is
> closely watched. (The above edit was reverted in 7 minutes, and the
> user banned.)
> 
> But what are the ways to get user-edited JavaScript running on a
> MediaWiki, outside one's own personal usage? And what permissions are
> needed? I ask with threats like this in mind.
> 
> 
> - d.
> 
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

[David Gerard]

What ways are there to include user-edited JavaScript in a wiki page?

I ask because someone put this revision in (which is now deleted):

https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en

You can't see it now, but it was someone including a JavaScript
cryptocurrency miner in common.js!

Obviously this is not going to be a common thing, and common.js is
closely watched. (The above edit was reverted in 7 minutes, and the
user banned.)

But what are the ways to get user-edited JavaScript running on a
MediaWiki, outside one's own personal usage? And what permissions are
needed? I ask with threats like this in mind.


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l