#270 Fedora Wiki allows editing raw HTML
Closed: Fixed None Opened 12 years ago by ricky.

Currently, the wiki allows users to add unfiltered raw HTML to pages. Since knowing somebody's MOIN_ID gives full control over an account, this would make it trivial to steal cookies/accounts/do evil.

It'd be nice to disable this at some point, but right now, some pages are using this functionality:
[http://fedoraproject.org/wiki/?action=fullsearch&context=180&value=%7B%7B%7B%23%21html&fullsearch=Text Current pages using the raw HTML parser]


Fun, lets get the instructions on how to disable this for moin. I'm going to bring this up at the next meeting. As I understand it the only threat is becoming someone else, we can't, for example, harvest usernames / passwords, is that correct?

This also goes into a realm of trust with our developers. In general I like to try to treat the users as employees as far as trust goes. But at the same time we're in a pretty special environment and that doesn't always work.

Replying to [comment:1 mmcgrath]:

Fun, lets get the instructions on how to disable this for moin. I'm going to bring this up at the next meeting. As I understand it the only threat is becoming someone else, we can't, for example, harvest usernames / passwords, is that correct?
I think it might be a plugin in /srv/web/wiki/data/plugin/parser/html.py. Yup, the only threat should be taking over a wiki account.
This also goes into a realm of trust with our developers. In general I like to try to treat the users as employees as far as trust goes. But at the same time we're in a pretty special environment and that doesn't always work.
Definitely, I personally think that it's a very useful feature, but only certain publicly editable pages like !EditGroupQueue really worry me. At the end, the amount of damage that can be done with this is pretty minimal, so I'm not really leaning one way or the other here.

Ricky, Paulo -

I know things have been on a lull lately (tis the season) are you two still working on this?

Now that Moin1.6 is finally out, i would start with upgrading the wiki to Moin1.6 and then start from there?

Time to start a proper vote on the ML, using the new template !?

Yep I think so. Also I just found out another thing. The docs team relies heavily on raw html editing. This may end up being a non-starter.

however

https://fedorahosted.org/fedora-infrastructure/ticket/308

May also provide the security we're looking for to protect against this particular attack.

We don't rely on raw HTML for anything on the wiki, as far as I know. It may be used on a couple pages for cosmetics -- I think I've done so on my personal namespace, for example -- but if it disappears we're basically fine.

Still no moin 1.6 rpm available for us. Should we package a 1.6 version an throw it into the infrastructure repo, until the owner decides to do it ?

How about using SSL Client Certificate Authentication? Then as far as I understand
http://moinmo.in/HelpOnAuthentication
there would be no longer the MOIN_ID Cookie and the user management could be integrated easily into FAS, because koji also uses a client ssl certificate, so the infrastructure is already there.

Looks like this will solve itself when we move to mediawiki :)

MediaWiki will be solving this problem.

Login to comment on this ticket.

Metadata