Project:Support desk

We are looking for guidance on remediating a security vulnerability that Invicti (Netsparker) identified on:

https://website/wiki/Special:Watchlist.

The scan has highlighted the word "token" in the http response. (ex: mw.user.tokens.set, wltoken, ...)

We are not sure of which cookie the remediation notes are referring to when it says using the SameSite Cookie attribute will mitigate the issue.

Invicti Enterprise reported a Possible BREACH Attack issue because the target web page meets the following conditions that facilitate it:

• Served from a server that uses HTTP-level compression (ie. gzip)
• Reflects user-input in the HTTP response bodies
• Contains sensitive information (such as a CSRF token) in HTTP response bodies

To mitigate the issue, we recommend the following solutions:

1. If possible, disable HTTP level compression
2. Separate sensitive information from user input
3. Protect vulnerable pages with CSRF token. The SameSite Cookie attribute will mitigate this issue, because to exploit this issue an attacker forces the victim to visit a target website using invisible frames. With the SameSite cookie attribute added, cookies that belong to the target won't be sent with a request that does not include top level navigation.
4. Hide the length of the traffic by adding a random number of bytes to the responses.
5. Add in a rate limit, so that the page maximum is reached five times per minute.

Key word being "possible". This is not an actual breach attack vulnerability, just a false positive. At least for mw.user.tokens.set.

For, wltoken, there is a theoretical possibility it might be subject to a breach-style attack, however it seems like such an attack is not really plausible in practise, and the risk is low as wltoken only controls watchlist access.

Filed phab:T374766. If you create a phabricator account and tell me your phab username, i will add you to the ticket.

Currently using MediaWiki version 1.39.1.

The article for the page table says "The text of the page itself is stored in the text table. To retrieve the text of an article, MediaWiki first searches for page_title in the page table. Then, page_latest is used to search the revision table for rev_id, and rev_text_id is obtained in the process. The value obtained for rev_text_id is used to search for old_id in the text table to retrieve the text."

However, there is no rev_text_id in the revision table anymore. I believe this changed in more recent versions. I have been trying to figure out how to get the right entry in the text table for a given page (the latest revision of that page) and not sure how to do this now. If anyone could help that would be very appreciated!

There is an example at https://www.mediawiki.org/wiki/Manual:Page_table#Listing_pages_and_relations_with_other_essential_tables

You look up page, find page_latest, look that up in slots table unser slots_revision_id, find slot_content_id, look that up in content, find content_address, remove the tt: prefix, look that up in text table as the old_id.

However it is generally reccomended you dont do this. Instead fetch page contents via api or getText.php

I have created a "data" page with a single, sortable wikitable (with six columns of information).

This is a very large table (well over 3000 rows now, and it will eventually reach more than 5000 rows). Besides raw data, each row contains a link to a distinct article. As it stands, the page is quite useful. Nevertheless, I want to enhance its value by letting users apply filters to the table so that only the filtered rows are displayed. Chief among the filters that must be available would be a Category filter. And I also want to offer a filter based on search string.

I have seen something similar to what i want on Special pages. For example, Special:All_pages has something like that. Is it possible to do the same thing on my own page?

Not really, but Maybe extension:PageForms + extension:Cargo could do something like it.

@Bawolff thanks for giving some thought to my question and your reply. However, having cast a quick glance at those two extensions, I'm also thinking "not really". :)

There are also Extension:ContainerFilter and Extension:TableTools. "TableTools" has a dependency to Extension:VueJsPlus and unfortunately lacks documentation. One can use the CSS class datagrid on any regular wikitext table to enable it.

@Osnard thanks. Yes, I have looked at the BlueSpice extensions. From what I can tell, they add some cosmetic value but are mostly dependent on the existing data in the table's columns. What would be most useful for me is to filter on the basis of information not available in the columns but rather stored within Categories. But I have concluded that this is probably not possible at present... at least not without more work than I am prepared to invest on it.

You could 100% do that with Cargo. It has a built-in "Drilldown" page with filters. You can use your own template to replace the standard list with a table.

Also, for queries it has a dynamic table output format, though I don't know whether it would cope with a 5000-line table. Maybe ask on the extension's talk page.

@Jonathan3, thanks for the input. I just looked closer at Cargo. Yes, it might work. But there were some caveats in the documentation. Unfortunately, it seems that the installation and configuration of this extension would require more technical exxpertise than I currently have, in other words, the sysop that I currently am missing. :) I will keep this in mind for the future.

I think there is a template that is missing from my wiki since I have only 2 pages on there.

Help:Cite, like William Shakespeare, it doesn't work. I copied and pasted the code and what did it do? NOTHING!

What code have you pasted? Also have you enabled the relevant extension Extension:Cite?

The code that I pasted was this:

The Sun is pretty big.<ref>E. Miller, ''The Sun'', (New York: Academic Press, 2005), 23–25.</ref> The Moon, however, is not so big.<ref>R. Smith, "Size of the Moon", ''Scientific American'', 46 (April 1978): 44–46.</ref>

==Notes==
<references />

Also, no, I haven't enabled the extension. I'm not even sure how to do it.

Ok you now need the extension mentioned above for that to work correctly. See Manual:Installing extensions

I think that saw the extension's folder, but does that mean that it is installed?

It probably means it's downloaded not installed. Please read Extension:Cite from the top.

I think that I downloaded it just a few seconds ago.

But it still doesn't work and I still see the code even after I saved the changes.

That is, I want the code to work and stay hidden outside of editing, but this just is not happening.

Never mind, I got the extension to work! I just added some code in the local settings and it works!

Wiki creation is stuck, what should I do?

Stuck on stage

Creating a Home Page with Default Content...

@LigindaLeg1: How are you installing it? It sounds like you might be using a wikifarm or one-click installer (because I don't think there's any message like that during a new install).

I installed the wiki by downloading the file MediaWiki-1.42.1.zip and transferring all the files from it to the site directory

Does your php error log report any errors?

Hi, Im new here. Im very happy and excited to be able to be part of this community. However I have been unable to complete my page setup as an automatic message pops up saying Im unable to introduce the information as there are too many references to digital computers. This new country is entirely digital, that is the point! However I am not able to complete or save the process. I would like to publish it to complete it with more information however I am unable to continue. I tried contacting administrators to report the error however I am finding it impossible to reach anyone. Please help! Thank you! John A. Smith

Which website is this in reference to?

MediaWiki:Common.css

.WD-Ausartung, .WD-Gewalt {cursor:help; border-bottom:1px dotted #000; display:inline-block; position:relative}

.WD-Ausartung:before, .WD-Gewalt:before {background-color:#d0dcf1; border-radius:6px; bottom:120%; color:#000; font-size:13px; left:50%; max-width:340px; opacity:0; padding:8px 12px; position:absolute; text-align:justify; transform:translateX(-50%); transition:opacity 1s; visibility:hidden; box-shadow:0 0 8px rgba(27,27,27,0.6); width:max-content; content:attr(data-tooltip)}

.WD-Ausartung:hover:before, .WD-Gewalt:hover:before, .WD-Ausartung:hover:after, .WD-Gewalt:hover:after {opacity:1; visibility:visible}

MediaWiki:Common.js

$(document).ready(function() {

   $('.WD-Ausartung').hover(function() {

       // Set the tooltip content from the data attribute

       $(this).attr('data-tooltip', 'Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim. Donec pede justo, fringilla vel, aliquet nec, vulputate eget, arcu. In enim justo, rhoncus ut, imperdiet a, venenatis vitae, justo. Nullam dictum felis eu pede mollis pretium. Integer tincidunt. Cras dapibus. Vivamus elementum semper nisi. Aenean vulputate eleifend tellus. Aenean leo ligula, porttitor eu, consequat vitae, eleifend ac, enim. Aliquam lorem ante, dapibus in, viverra quis, feugiat a, tellus. Phasellus viverra nulla ut metus varius laoreet. Quisque rutrum. Aenean imperdiet. Etiam ultricies nisi vel augue. Curabitur ullamcorper ultricies nisi. Nam eget dui. Etiam rhoncus. Maecenas tempus, tellus eget condimentum rhoncus, sem quam semper libero, sit amet adipiscing sem neque sed ipsum. Nam quam nunc, blandit vel, luctus pulvinar, hendrerit id, lorem. Maecenas nec odio et ante tincidunt tempus. Donec vitae sapien ut libero venenatis faucibus. Nullam quis ante. Etiam sit amet orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc,');

   }, function() {

       // Clear the tooltip content

       $(this).attr('data-tooltip', '');

   });

});

What modification in the javascript needs to be done to prevent the popup or tooltip from going off-screen?

You could just use the title attribute instead.

How to restrict double extension file in file upload feature

you can use tools like extension:SpamBlacklist or extension:AbuseFilter to restrict filenames.

Still working on migrating from a 1.35 Mediawiki on Centos 7, to 1.42 on Ubuntu. The Wiki is up and running fine, except for the LDAP connection.

I've tried to follow some guides, and also tried to get to know the different extensions when that didn't work well. I got a lot further from studying them - but not far enough.

When I try to log in with a domain user now, the MediaWiki login feedback is: User cannot be authenticated

In pluggableauth.log:

mediawiki: Getting PluggableAuth instance

mediawiki: Plugin name: LDAPAuthentication2

mediawiki: Authentication failure.

In LDAPAuthentication2.log:

mediawiki: Try to authenticate user: frodobaggins

mediawiki: Not local login. Checking LDAP...

mediawiki: LDAP domain: intratriona.se

mediawiki: Username not found in user info provided by LDAP!Please check LDAP domain configuration. Specifically usernameattribute

mediawiki: LDAP user info results for user frodobaggins: Array

(

<snip>

[samaccountname] => FrodoBaggins

LocalSettings.php and ldapprovider.json are as follows:

LocalSettings.php - LDAP part

wfLoadExtension('PluggableAuth');

wfLoadExtension('LDAPProvider');

wfLoadExtension('LDAPAuthentication2');

wfLoadExtension('LDAPAuthorization');

wfLoadExtension('LDAPUserInfo');

wfLoadExtension('LDAPGroups');

$LDAPProviderDomainConfigs = "/srv/mediawiki/ldapprovider.json";

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthorizationAutoAuthUsernameNormalizer = 'strtolower';

$wgLDAPGroupUseFullDN = false; # Use short group names instead of full DNs (optional)

$wgLDAPGroupsPrevail = false;   # LDAP groups take precedence over MediaWiki's internal group settings

$wgPluggableAuth_Config['Domain login'] = [

       'plugin' => 'LDAPAuthentication2',

       'data' => [

           'domain' => 'ourfirm.com',

       ],

];

$wgLDAPPreferences = [

   "ourfirm.com" => [

       "email" => "mail",

       "realname" => "displayname"

       ]

];

------------------------

ldapprovider.json

{

   "ourfirm.com": {

       "connection": {

           "server": "ldaps.ourfirm.com",

           "port": "636",

           "user": "<password",

           "pass": "<username>",

           "enctype": "ssl",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "DC=ourfirm,DC=com",

           "groupbasedn": "OU=Groups,OU=Tech,DC=ourfirm,DC=com",

           "userbasedn": "OU=Users,OU=Tech,DC=ourfirm,DC=com",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "displayname",

           "emailattribute": "mail"

       },

       "authorization": {

           "rules": {

               "groups": {

                   "required": ["CN=Tech Users,OU=Admin,DC=ourfirm,DC=com"]

               }

           }

       }

   }

}

Any help with this would be much appreciated!

After installing the wiki, I get an HTTP ERROR 500 error when I try to connect to the site, what should I do?

An error 500 usually leaves a trace in the server logs. Check the webserver and PHP error logs for hints.

You can also try to temporarily enable error reporting to be send to the Client in PHP itself. See Manual:How_to_debug#PHP_errors.