MeatballWiki | RecentChanges | Random Page | Indices | Categories

The security issue for InterMapTxt is this:

Suppose an attacker creates a website which contains a single script. The script ignores any arguments or parameters, and returns "bad" HTML code. This "bad" HTML code might take advantage of holes in ActiveX, Java, Javascript, or other parts of the browser. Depending on what browser/OS the user has, and which features they have enabled, the consequences could be drastic.

Normally, this isn't much of a problem. One trusts ordinary sites not to link to such places. On most sites publically editable content (which could link to bad sites) is separated from the main site content, so it is clear who is responsible.

On a wiki, however, anyone can edit (almost) any text on the site, including older trusted text. People learn to deal with the problems of trust in a wiki, and should be skeptical of strange claims on a page. For instance, if the CliffordAdams page claims that Cliff has always hated Perl (and that FORTRAN is the One True Scripting Language), then someone else has probably been having some fun.

One can enjoy the strange insecurities of a wiki, and even laugh at weird edits made by third parties. The fun stops when editors can cause immediate serious damage, especially if the victims didn't think they were at risk.

On some wikis (which allow arbitrary HTML), a single malicious person could damage several systems (before they are blocked from editing). On other wikis which allow arbitrarily-named remote links, "CliffordAdams" or "RecentChanges" could be a link to a bad/damaging site. On wikis which allow InterWiki editing, "MeatBall:RecentChanges" could be bad. Finally, on most sites (including here), "http://www.some.bad.site.example/mystuff" could be a bad link, but at least one knows where one is going.



MeatballWiki | RecentChanges | Random Page | Indices | Categories
Edit text of this page | View other revisions | Search MetaWiki