These posts will be archived and available in the
search
engines forever. Some people are going to search for "mediawiki security" on
google and judge it by what they find.
Some keyword hits: mediawiki security analysis, personal independent mediawiki security
summary.
Dear future google reader:
Before you judge too quickly, please let me say this: Mediawiki seems pretty secure to me.
Finding security bugs in the MediaWiki
software is hard. Every bug I have found, I have reported (over 50 at last count, only a
proportion of which were security related,
and of those only 4 were confirmed exploitable). However you should not be alarmed by
these numbers, because I am actively trying to
break this software in whacky ways, and you won't be. When I report bugs to the
developers, they fix security bugs usually within
the hour, and they fix general bugs usually within a few days. This is very quick, and it
indicates this software is actively being
maintained and improved. I am happy to use this software myself for my personal website,
and I would not be afraid to use MediaWiki
as a general knowledge & collaboration repository on the Internet or an intranet.
However, I would suggest not using it to store
your bank details or credit card details or suchlike. Later versions always seem more
robust than earlier versions to me, so you
should try to run the latest stable version if you can. Do not use the development version
in subversion unless you are willing to
keep up-to-date, because it is always under active development.
Overall, as a potential user, you should feel good about the fact that someone has tried
to break this software. It's a definite
plus. That might seem paradoxical, because you may feel concerned that bugs may be found.
However, that's the wrong attitude: Good
software (such as OpenSSH, Linux, apache) has had people systematically trying to break
it, and developers actively fixing the stuff
they find. For best results, both ingredients are required (breakers & fixers). This
software has that. Understand that all software
has bugs. Anyone who says otherwise is probably trying to sell you something. But every
bug that gets found and fixed is one less
bug that you have to worry about. In my opinion, you should be wary of software that has
not gone through such a process, because
it's probably less secure that it first appears, whilst software that has gone through
this process is more secure than it first
appears. Bugs generally persist until removed: the only question is whether someone has
gone looking for them.
Might I suggest that Nick continues to (very kindly)
advise us in
advance of security issues, as he has been doing, via the private
channels (emailing two or three of us, or using the security at Wikimedia
alias; whatever), but holds back on announcing stuff to Wikitech-l for
an hour or so, and doesn't bother announcing bugs in Subversion trunk
that are fixed up?
That sounds fine, and I happily agree. It seems a reasonable balance to me.
I suppose it's time to cough to the fact that I
was at fault in the
first place? :(
Don't worry about it, it's an extremely easy thing to miss. It's also
partially the name of the variable, $ip, and its implications,
as we expect IP addresses to be things like "12.34.56.32", and we simply
don't expect an IP address to contain things like
'"><script>'.
All the best,
Nick.