MediaWiki
From Nick Jenkins
Hello visitor! If you found this page, then you probably wanted something else. Here are links to what you're probably looking for:
- Do you want information about a specific MediaWiki extension? Try the table here or the multi-page list here, to help find the homepage for that extension.
- Do you want information about MediaWiki itself? Try the website for documentation, the IRC channel for quick questions, a mailing list for more detailed questions, or the MediaWiki Wikipedia article for a timeline of past releases.
- Do you want to hire MediaWiki developers or consultants? See the WikiHR site.
Now back to your regularly scheduled programming....
Various MediaWiki 1.7.1 and extension parser tests, that fail HTML validation and/or have potential security issues. There is a MediaWiki bug report covering this. Some were found by hand, but most of these were found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The original source code is available, although the version now in the MediaWiki trunk is much more current. Lastly, all the MediaWiki tests listed below are released into the public domain, and as such you're welcome to incorporate them into any software you like, under any license you like.
Contents
Security items
None that I am currently aware of.
HTML Validation or PHP errors or SQL errors
Things that cause one or more of the following:
- Visual artefacts
- PHP errors
- SQL errors
- research papers
- Tidy errors (not just warnings)
... have been marked with grey to indicate that they may be of higher impact than the other items:
| Test | Wiki Source | Validate HTML | Tidy HTML | Security aspects? |
Fixed in | Visible Artefacts? |
Notes and any extra info. |
|---|---|---|---|---|---|---|---|
| MediaWiki/Parser1 | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5. | |
| MediaWiki/Parser1-hidden | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | Hides almost all text, which also makes all page links unavailable. | |
| MediaWiki/Parser3 | Export Wiki Source | W3C Validator | Tidy HTML | No | No | ||
| MediaWiki/Parser4 | Export Wiki Source | W3C Validator | Tidy HTML | No | No | ||
| MediaWiki/Parser5 | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels. | |
| MediaWiki/Parser6 | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text. | |
| MediaWiki/Parser8 | Export Wiki Source | W3C Validator | Tidy HTML | No | No | ||
| MediaWiki/Parser9 | Export Wiki Source | W3C Validator | Tidy HTML | No | No | ||
| MediaWiki/Parser10 | Export Wiki Source | W3C Validator | Tidy HTML | No | No | ||
| MediaWiki/Parser11 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation. | |
| MediaWiki/Parser12 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation. | |
| MediaWiki/Parser15 | Export Wiki Source | W3C Validator | Tidy HTML | No | No. | | |
| MediaWiki/Parser16 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | Security aspects fixed in 1.6.6, although still fails W3C Validation. | |
| MediaWiki/Parser24 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | | |
| MediaWiki/Parser25 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | | |
| MediaWiki/Parser25-variant1 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | | |
| MediaWiki/Parser25-variant2 | Export Wiki Source | W3C Validator | Tidy HTML | |
No. | | |
| MediaWiki/Parser26 | Export Wiki Source | W3C Validator | Tidy HTML | |
|
Attribute injection in Cite extension fixed in r14400, and visual aspects fixed in r14399, although still fails W3C Validation. | |
| MediaWiki/Parser33 | Export Wiki Source | W3C Validator | Tidy HTML | No. | Yes. | Numerous Tidy errors (using both the command-line version, and the Firefox plugin, but not with the web version) | |
| MediaWiki/Parser34 | Export Wiki Source | W3C Validator | Tidy HTML | No. | Yes. | Whacky page rendering, indents the nav bar from the left margin and into body text. | |
| |
|
|
|
|
1.6.7 | No. | Limited attribute injection using Sort extension + another extension (References in this example). Can no longer reproduce, is certainly fixed in 1.6.7. Still fails W3C validation. |
| |
|
|
|
|
1.6.7 | No. | |
| |
|
|
|
No. | r14475 | No. | |
| |
|
|
|
No. | N/A. | No. | |
| |
|
|
|
|
1.6.7 | No. | |
| |
|
|
|
|
1.6.7 | No. | |
| |
|
|
|
|
1.6.7 | No. | |
| |
|
|
|
|
1.6.7 | No. | |
| |
|
|
|
|
1.6.7 | No. | |
| MediaWiki/Parser49 | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | Shifts content off of the left margin. Causes Tidy errors (in command-line Tidy + the firefox plugin, but not in web version). | |
| MediaWiki/Parser52 | Export Wiki Source | W3C Validator | Tidy HTML | No | No. | HTML validation failing due to id attribute or name attribute duplication. | |
| |
|
|
|
|
No. | |
Completely fixed
Things belong here if they now give valid HTML, don't cause PHP errors/warnings or SQL errors/warnings, and don't cause Tidy warnings.
| Test | Wiki Source | Validate HTML | Tidy HTML | Security aspects? |
Fixed in | Visible Artefacts? |
Notes and any extra info. |
|---|---|---|---|---|---|---|---|
| |
|
|
|
No | 1.6.1 | No. | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors. |
| |
|
|
|
|
1.6.6 | No. | |
| |
|
|
|
|
1.6.6 | |
|
| |
|
|
|
|
1.6.6 | |
|
| |
|
|
|
|
1.6.1 | No. | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors. |
| |
|
|
|
|
1.6.1 | No. | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors. |
| |
|
|
|
|
1.6.1 | No. | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors. |
| |
|
|
|
|
1.6.6 | No. | Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors. |
| |
|
|
|
|
1.6.6 | No. | |
| |
|
|
|
No. | r14480 | No. | PHP warning in Sort extension, fixed in r14480. |
| |
|
|
|
|
1.6.7 | No. | User-specified JavaScript execution. Must be running an experimental extension, so most installations are NOT affected. Wiki text not released yet. Fixed in trunk by r14511, and fixed in 1.6.7. |
| |
|
|
|
|
1.6.7 | No. | Limited attribute injection using CharInsert extension + Math extension. |
| |
|
|
|
|
1.6.7 | No. | Limited attribute injection using CharInsert extension + Cite extension. |
| |
|
|
|
|
1.6.7 | No. | Section heading abuse for gave Tidy error, strange page rendering, and a limited attribute injection. |
| |
|
|
|
|
1.6.7 | No. | XSS Arbitrary JavaScript execution and HTML insertion. Fixed in 1.6.7 and fixed in r14585 for trunk. |
| |
|
|
|
No. | r14733 | No. | PHP warning in InputBox extension in E_ALL with bad input. Fixed in r14733. |
| |
|
|
|
|
r14544 | No. | Wikitext of death (causes internal Parser error). Fixed in 1.7, but not in 1.6. |
| |
|
|
|
|
No. | $wgAllowExternalImages is enabled by default in 1.6 stable, but it is turned off in 1.7 and Trunk by default. This can be abused on a 1.6 wiki to create a page which when viewed will log the user off. | |
| |
|
|
|
No | No | ||
| |
|
|
|
No | No. | Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the links don't act like normal links (in Firefox, at least) - clicking on them does nothing. | |
| |
|
|
|
No. | No. | Pre allows malformed URI. Fails validation (unlike nowiki). | |
| |
|
|
|
No. | r14730 | |
PHP notices on the page history with bad input + E_ALL. |
| |
|
|
|
No. | |
Bad input on Page History that causes SQL error. | |
| |
|
|
|
No | |
Gives PHP fatal error on bad input on Special:Userlogin | |
| |
|
|
|
No. | |
Two PHP notices on Special:Contributions with bad input + E_ALL. |
Logged in bugzilla
Lately most new things have been logged in bugzilla, which makes them easier to track.
There is a small amount of overlap between this page and bugzilla, namely for the following bugs:
| Test | Wiki Source | Validate HTML | Tidy HTML | Security aspects? |
Fixed in | Visible Artefacts? |
Notes and any extra info. |
|---|---|---|---|---|---|---|---|
| MediaWiki/Parser51 | Export Wiki Source | W3C Validator | Tidy HTML | No | Yes | PHP warnings on malformed cookie session_id on Special:Userlogin. Also logged as MediaZilla:6538 |
Definition of Security Aspects
For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
- <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
- <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
- A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.
