Security Status Report

Project Security-Team from 2017-07-01 to 2017-08-21

Help

In Progress 116967 Gather information on the frequency of Wikimedia sites being framed In-Scope Open None
In Progress 124445 Design research support for two step authentication In-Scope Open None
Done 109082 Goal: Privacy support for Analytics - UniqueID's, Pagecount API In-Scope Open None
Done 109086 Goal: Security engineering support for FrTech PCI In-Scope Open None
Done 109083 Goal: Support legal during rollout of email encryption initiative In-Scope Open None
Security Other 160713 Replicate babel db table on Labs In-Scope Cut None
Security Other 159519 Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki In-Scope Done None
Security Other 134863 Reflected XSS in GlobalGroupPermissions Screep Done None
Security Other 169656 Security Review of Recommendation API - take #2 Screep Done None
Security Other 97869 Review access to security tasks In-Scope Open None
Security Other 99358 [Task] Security review of Wikibase-Quality-External-Validation branch master In-Scope Open None
Security Other 100375 Improve user experience of Two-Factor process In-Scope Open None
Security Other 103912 [Task] Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck In-Scope Open None
Security Other 108360 Create "security pre-announce" group Screep Open None
Security Other 108978 Add $wgAllowSiteJSOnRestrictedPages to allow JS on restricted special pages In-Scope Open None
Security Other 109084 Goal: Security engineering support for AuthManager In-Scope Open None
Security Other 109094 Create and document security training on mw.org, and document training processes In-Scope Open None
Security Other 109102 Investigate / test hardware tokens for WMF identity key In-Scope Open None
Security Other 109106 Document bug triage process In-Scope Open None
Security Other 109328 Undefined #Security-General and #Security-Other In-Scope Open None
Security Other 109524 DFIR process documented on officewiki In-Scope Open None
Security Other 109726 Privacy review of graphite and grafana data sets In-Scope Open None
Security Other 110249 Allow OAuth applications to be granted rights the user doesn't have In-Scope Open None
Security Other 110620 Add code patterns that could impact privacy to MediaWiki secure code training. In-Scope Open None
Security Other 111820 Set default CSP header in service template to "default-src 'none'" In-Scope Open None
Security Other 116305 Followup assessment for analytics cluster In-Scope Open None
Security Other 117618 Add restrictive CSP to upload.wikimedia.org In-Scope Open None
Security Other 118131 Credit security researchers that identify and disclose vulnerabilities In-Scope Open None
Security Other 118750 Document and test security response process In-Scope Open None
Security Other 119451 Consider using "pepper" for our hashed passwords In-Scope Open None
Security Other 119494 Citoid converts ignores <302::aid-ajmg13> In-Scope Open 0.0
Security Other 120484 Create password-authentication service for use by CentralAuth In-Scope Open None
Security Other 120495 Major overhaul to Special reports In-Scope Open None
Security Other 120532 Use user-specific passwords for accessing EventLogging database In-Scope Open None
Security Other 120886 Make javascript editing permissions more fine grained and separate from normal edit-interface In-Scope Open None
Security Other 120888 Create optional XSS filter step for the parser In-Scope Open None
Security Other 120889 Create preference to control using personal JS In-Scope Open None
Security Other 121136 Establish a process to periodically review and approve access for hadoop/hue users In-Scope Open None
Security Other 121175 Implement password age password policy check In-Scope Open None
Security Other 121179 Implement password complexity password policy check In-Scope Open None
Security Other 121181 Implement password policy preventing user using their real name In-Scope Open None
Security Other 121186 Implement results of enwiki Security review RfC In-Scope Open None
Security Other 122013 Investigate additional password reset methods (apart from email) In-Scope Open None
Security Other 122124 Tell users to use a unique password when creating an account. In-Scope Open None
Security Other 122220 Enable optional two-factor authentication for OTRS In-Scope Open None
Security Other 122248 Password/login related security issues (Tracking) In-Scope Open None
Security Other 122375 Segment sensitive data within WMF cluster (tracking) In-Scope Open None
Security Other 123243 Ability to alert when we get a sudden increase in bad passwords for privileged accounts, to possibly detect password brute-forcing In-Scope Open None
Security Other 123753 Establish retrospective reports for #security and #performance incidents In-Scope Open None
Security Other 125382 Ensure DOMPurify meets our SVG sanitization requirements for Graphs In-Scope Open None
Security Other 125589 Allow tools to have their own ".tools.wmflabs.org" subdomain In-Scope Open None
Security Other 130396 Add restbase test url to ZAP seeding In-Scope Open None
Security Other 132720 ApiHelp on api.php should set OutputPage::disallowUserJs In-Scope Open None
Security Other 132934 Security review of TWL In-Scope Open None
Security Other 133735 Formalize procedures for doing security releases of MediaWiki extensions In-Scope Open None
Security Other 135963 Add support for Content-Security-Policy (CSP) headers in MediaWiki In-Scope Open None
Security Other 137016 Allow more than 1 password reset per 24 hours In-Scope Open None
Security Other 137599 MediaWiki as candidate for Mozilla funded code audit In-Scope Open None
Security Other 138783 SVG Upload should (optionally) allow the xhtml namespace In-Scope Open None
Security Other 140270 Determine a core set or a checklist of permissions for deployment purpose In-Scope Open None
Security Other 143790 $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit = true; causes the wiki to be inaccessible for anonymous users In-Scope Open None
Security Other 149588 Create password policy using AntiSpoof In-Scope Open None
Security Other 149743 Prevent user from continuing until they change their password In-Scope Open None
Security Other 150049 Enable $wgCaptchaDeleteOnSolve In-Scope Open None
Security Other 150300 icinga notification if elevated writing to badpass.log In-Scope Open None
Security Other 150577 Enable OATHAuth for all users In-Scope Open None
Security Other 150580 Throttle IP when doing many successful login attemps In-Scope Open None
Security Other 150582 Support two-factor authentication in AutoWikiBrowser In-Scope Open None
Security Other 150605 Publish an analysis of the OurMine hack In-Scope Open None
Security Other 150626 Suggest users with short passwords change them In-Scope Open None
Security Other 150647 Deploy EncryptedPassword to WMF In-Scope Open None
Security Other 150853 Create a burn-down list of administrator accounts without 2FA or password changes since 11 November In-Scope Open None
Security Other 151425 Enlarge Popular Password File to 100,000 entries In-Scope Open None
Security Other 152219 Statistics on Captcha success/failure rate In-Scope Open None
Security Other 152934 Log accessing private information by those with 'abusefilter-private' permission In-Scope Open None
Security Other 152972 Accessing private information through SecurePoll should be logged In-Scope Open None
Security Other 153691 Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process In-Scope Open None
Security Other 156445 Streamline/automate MW tarball security release process In-Scope Open None
Security Other 156757 Add examples of the three security review processes In-Scope Open None
Security Other 157500 Query percentage of English Wikipedia admins without 2FA In-Scope Open None
Security Other 158119 Add Security.md to MediaWiki Core? In-Scope Open None
Security Other 160357 Allow those with CheckUser right to access AbuseLog private information on WMF projects In-Scope Open None
Security Other 162171 Become a CVE Numbering Authority (CNA) for MediaWiki and extensions In-Scope Open None
Security Other 164340 Request to add TerraCodes to the "oathauth-tester" group on meta In-Scope Open None
Security Other 166622 Allow all users on all wikis to use OATHAuth In-Scope Open None
Security Other 169676 Remove EducationProgram in favour of EducationDashboard Screep Open None
Security Other 170927 Make wbqc_constraints table available on Quarry et al. Screep Open None
Security Other 28227 Notify user by email when password changed In-Scope Open None
Security Other 173370 Support restricted execution of external commands Screep Open None
Security Other 28508 Content Security Policy (CSP) In-Scope Open None
Security Other 56713 Non-NDA users cannot access graphite.wikimedia.org In-Scope Open None
Security Other 61702 Examine which extensions are installed on login.wikimedia.org (loginwiki) and vote.wikimedia.org (votewiki) In-Scope Open None
Security Other 75953 RFC: MediaWiki HTTPS policy In-Scope Open None
Security Other 75958 Refactor Title to make permission checking it's own class In-Scope Open None
Security Other 76158 Pitfalls checklist for software using AGPL In-Scope Open None
Security Other 88083 Mobile apps users should not be shown captchas when creating accounts In-Scope Open None
Security Other 90033 Support 1password for login In-Scope Open None