The Signpost

Technology report

Major MediaWiki release, password security, vulnerable MediaWiki installations, and more

MediaWiki 1.16 released

The release of the latest version of MediaWiki (Version 1.16) was announced this week (Wikimedia Techblog); a separate, minor update (Version 1.15.5) was also released for operators unwilling or unable to upgrade fully. Both versions were billed as fixing an important "data leakage vulnerability" (wikitech-l mailing list). The milestone has little inherent significance for Wikimedians, since Wikimedia Foundation wikis run their own version of the MediaWiki software, which is usually well ahead of the official release. MediaWiki was originally developed with Wikipedia in mind but is now in use in some form or other on a number of other popular sites, including the commercial wiki host Wikia. System administrators of these other installations are encouraged to upgrade, both for security reasons and to take advantage of features introduced since the 1.15 milestone, reached more than a year ago. However, Wikimedians can be hopeful that the release is a sign of strength in the development community.

Study of web passwords includes Wikipedia

The handling of user passwords on 150 websites was analysed in a recent study. Joseph Bonneau and Sören Preibusch, researchers from the University of Cambridge who conducted the study (The password thicket: technical and market failures in human authentication on the web, see also blog post and downloadable data), called it "the first large-scale empirical analysis of password implementations deployed on the Internet". Wikipedia received a "password security score" of 4 out of 10, falling short of the optimal score with respect to several evaluation criteria: the password selection advice does not prohibit dictionary words, a minimum length (>1) is not required, the use of numbers or symbols in the password is not enforced, federated identity services are not supported (although a MediaWiki extension for OpenID exists), the user list is not protected from probing (the list is intentionally available), and TLS is normally not used to protect password submissions (the password is sent in cleartext when logging in. However, the secure server provides encrypted connections).

Asked by The Signpost for comment, Sören Preibusch said:

See also past Signpost coverage about password security on Wikipedia: Four administrator accounts desysopped after hijacking, vandalism, Administrator status restored to five accounts after emergency desysopping (about a 2007 incident which led to some changes in MediaWiki and the start of the page Wikipedia:Security), Blank passwords eliminated for security reasons (2006), Password security upgraded after Slashdot furor (2005, about an incident after which salted passwords were introduced).

95% of MediaWiki installations said to have a "serious vulnerability"

In an unrelated announcement, research published by Qualys – a private software security firm – has shown that 19 in every 20 MediaWiki installations are running software old enough to include "serious vulnerabilities", compared with fewer than 1 in 20 Wordpress installations (Wikimedia Techblog). Developer Tim Starling (one of only a handful of paid MediaWiki programmers) explained the startling figure:

In brief

Note: not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.


















Wikipedia:Wikipedia Signpost/2010-08-02/Technology_report