Security Status Report

Project Security-Team from 2017-10-01 to 2017-12-16

Help

In Progress 181660 Experiment using phan for static analysis Screep Open None
In Progress 124445 Design research support for two step authentication In-Scope Open None
In Progress 116967 Gather information on the frequency of Wikimedia sites being framed In-Scope Open None
Done 109083 Goal: Support legal during rollout of email encryption initiative In-Scope Open None
Done 109082 Goal: Privacy support for Analytics - UniqueID's, Pagecount API In-Scope Open None
Done 109086 Goal: Security engineering support for FrTech PCI In-Scope Open None
Security Other 182448 Make securitycheckplugin detect double escaping Screep None
Security Other 182599 Make jenkins run security-check-plugin non-voting Screep None
Security Other 128209 Reflected File Download from api.php Screep Done None
Security Other 178752 gblrename log_type missing on replicas Screep Done None
Security Other 97869 Review access to security tasks In-Scope Done None
Security Other 119158 Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815) Screep Done None
Security Other 181547 Regex DoS vulnerability in moment.js Screep Done None
Security Other 182199 Make jenkins run composer test (with php7) on mediawiki/tools/phan/SecurityCheckPlugin.git Screep Done None
Security Other 182214 Get securityCheckPlugin on packagist Screep Done None
Security Other 178052 pagetranslation log_type missing on replicas Screep Done None
Security Other 87332 Using language conversion syntax in external links bypasses proper external link registration Screep Done None
Security Other 124404 language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) Screep Done None
Security Other 173370 Support restricted execution of external commands (via firejail) In-Scope Done None
Security Other 125163 id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812) Screep Done None
Security Other 125382 Ensure DOMPurify meets our SVG sanitization requirements for Graphs In-Scope Done None
Security Other 109084 Goal: Security engineering support for AuthManager In-Scope Done None
Security Other 158119 Add Security.md to MediaWiki Core? In-Scope Done None
Security Other 111820 Set default CSP header in service template to "default-src 'none'" In-Scope Open None
Security Other 116305 Followup assessment for analytics cluster In-Scope Open None
Security Other 117618 Add restrictive CSP to upload.wikimedia.org In-Scope Open None
Security Other 118131 Credit security researchers that identify and disclose vulnerabilities In-Scope Open None
Security Other 118750 Document and test security response process In-Scope Open None
Security Other 119451 Consider using "pepper" for our hashed passwords In-Scope Open None
Security Other 119494 Citoid converts ignores <302::aid-ajmg13> In-Scope Open 0.0
Security Other 120484 Create password-authentication service for use by CentralAuth In-Scope Open None
Security Other 120495 Major overhaul to Special reports In-Scope Open None
Security Other 120532 Use user-specific passwords for accessing EventLogging database In-Scope Open None
Security Other 120886 Make javascript editing permissions more fine grained and separate from normal edit-interface In-Scope Open None
Security Other 120888 Create optional XSS filter step for the parser In-Scope Open None
Security Other 120889 Create preference to control using personal JS In-Scope Open None
Security Other 121136 Establish a process to periodically review and approve access for hadoop/hue users In-Scope Open None
Security Other 121175 Implement password age password policy check In-Scope Open None
Security Other 121179 Implement password complexity password policy check In-Scope Open None
Security Other 121181 Implement password policy preventing user using their real name In-Scope Open None
Security Other 121186 Implement results of enwiki Security review RfC In-Scope Open None
Security Other 122013 Investigate additional password reset methods (apart from email) In-Scope Open None
Security Other 122124 Tell users to use a unique password when creating an account. In-Scope Open None
Security Other 122220 Enable optional two-factor authentication for OTRS In-Scope Open None
Security Other 122248 Password/login related security issues (Tracking) In-Scope Open None
Security Other 122375 Segment sensitive data within WMF cluster (tracking) In-Scope Open None
Security Other 123243 Ability to alert when we get a sudden increase in bad passwords for privileged accounts, to possibly detect password brute-forcing In-Scope Open None
Security Other 123753 Establish retrospective reports for #security and #performance incidents In-Scope Open None
Security Other 125589 Allow tools to have their own ".tools.wmflabs.org" subdomain In-Scope Open None
Security Other 130396 Add restbase test url to ZAP seeding In-Scope Open None
Security Other 132720 ApiHelp on api.php should set OutputPage::disallowUserJs In-Scope Open None
Security Other 132934 Security review of TWL In-Scope Open None
Security Other 133735 Formalize procedures for doing security releases of MediaWiki extensions In-Scope Open None
Security Other 135963 Add support for Content-Security-Policy (CSP) headers in MediaWiki In-Scope Open None
Security Other 137016 Allow more than 1 password reset per 24 hours In-Scope Open None
Security Other 137599 MediaWiki as candidate for Mozilla funded code audit In-Scope Open None
Security Other 138783 SVG Upload should (optionally) allow the xhtml namespace In-Scope Open None
Security Other 140270 Determine a core set or a checklist of permissions for deployment purpose In-Scope Open None
Security Other 143790 $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit = true; causes the wiki to be inaccessible for anonymous users In-Scope Open None
Security Other 149588 Create password policy using AntiSpoof In-Scope Open None
Security Other 149743 Prevent user from continuing until they change their password In-Scope Open None
Security Other 150049 Enable $wgCaptchaDeleteOnSolve In-Scope Open None
Security Other 150300 icinga notification if elevated writing to badpass.log In-Scope Open None
Security Other 150577 Enable OATHAuth for all users In-Scope Open None
Security Other 150580 Throttle IP when doing many successful login attemps In-Scope Open None
Security Other 150582 Support two-factor authentication in AutoWikiBrowser In-Scope Open None
Security Other 150605 Publish an analysis of the OurMine hack In-Scope Open None
Security Other 150626 Suggest users with short passwords change them In-Scope Open None
Security Other 150647 Deploy EncryptedPassword to WMF In-Scope Open None
Security Other 150853 Create a burn-down list of administrator accounts without 2FA or password changes since 11 November In-Scope Open None
Security Other 151425 Enlarge Popular Password File to 100,000 entries In-Scope Open None
Security Other 152219 Statistics on Captcha success/failure rate In-Scope Open None
Security Other 152934 Log accessing private information by those with 'abusefilter-private' permission In-Scope Open 2.0
Security Other 152972 Accessing private information through SecurePoll should be logged In-Scope Open None
Security Other 153691 Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process In-Scope Open None
Security Other 156445 Streamline/automate MW tarball security release process In-Scope Open None
Security Other 156757 Add examples of the three security review processes In-Scope Open None
Security Other 157500 Query percentage of English Wikipedia admins without 2FA In-Scope Open None
Security Other 160357 Allow those with CheckUser right to access AbuseLog private information on WMF projects In-Scope Open None
Security Other 162171 Become a CVE Numbering Authority (CNA) for MediaWiki and extensions In-Scope Open None
Security Other 164340 Request to add TerraCodes to the "oathauth-tester" group on meta In-Scope Open None
Security Other 166622 Allow all users on all wikis to use OATHAuth In-Scope Open None
Security Other 169676 Remove EducationProgram in favour of EducationDashboard In-Scope Open None
Security Other 174813 Allow multiple password blacklists In-Scope Open None
Security Other 28227 Notify user by email when password changed In-Scope Open None
Security Other 175171 Implement bloom filter for popular password password lists In-Scope Open None
Security Other 177895 Allow logged in users to disable MediaWiki:Common.js and MediaWiki:Common.css Screep Open None
Security Other 178060 RawAction should set proper Content-Type header Screep Open None
Security Other 180278 Expand our usage of FriendsOfPHP/security-advisories Screep Open None
Security Other 180648 Expand the access to 2FA on fawiki Screep Open None
Security Other 180877 Dealing with GitHub security alerts Screep Open None
Security Other 174877 Spambots as IP addresses and as accounts again prolific within WMF wikis In-Scope Open None
Security Other 28508 Content Security Policy (CSP) In-Scope Open None
Security Other 40860 security@mediawiki.org : Create a public key and publish it on the public key servers Screep Open None
Security Other 56713 Non-NDA users cannot access graphite.wikimedia.org In-Scope Open None
Security Other 61702 Examine which extensions are installed on login.wikimedia.org (loginwiki) and vote.wikimedia.org (votewiki) In-Scope Open None
Security Other 75953 RFC: MediaWiki HTTPS policy In-Scope Open None
Security Other 75958 Refactor Title to make permission checking it's own class In-Scope Open None
Security Other 76158 Pitfalls checklist for software using AGPL In-Scope Open None
Security Other 88083 Mobile apps users should not be shown captchas when creating accounts In-Scope Open None
Security Other 90033 Support 1password for login In-Scope Open None
Security Other 99358 [Task] Security review of Wikibase-Quality-External-Validation branch master In-Scope Open None
Security Other 100375 Improve user experience of Two-Factor process In-Scope Open None
Security Other 103912 [Task] Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck In-Scope Open None
Security Other 108360 Create "security pre-announce" group In-Scope Open None
Security Other 108978 Add $wgAllowSiteJSOnRestrictedPages to allow JS on restricted special pages In-Scope Open None
Security Other 109094 Create and document security training on mw.org, and document training processes In-Scope Open None
Security Other 109102 Investigate / test hardware tokens for WMF identity key In-Scope Open None
Security Other 109106 Document bug triage process In-Scope Open None
Security Other 109328 Undefined #Security-General and #Security-Other In-Scope Open None
Security Other 109524 DFIR process documented on officewiki In-Scope Open None
Security Other 109726 Privacy review of graphite and grafana data sets In-Scope Open None
Security Other 110249 Allow OAuth applications to be granted rights the user doesn't have In-Scope Open None
Security Other 110620 Add code patterns that could impact privacy to MediaWiki secure code training. In-Scope Open None