(08-31-2021, 12:16 AM)Norgarth Wrote: I'm fairly clueless when it comes to programming of any sort, and this thought may be on the paranoid side...
But while the initial code wasn't malicious, could it have been a sort of test? See if the website allows it to work, if it does but gets caught "Oh I'm sorry", but revealing an opening for a later, more thought out and hostile code to be inserted.
maybe I'm just tired...
This is absolutely what I do when I'm playing Red Team. I'm usually Blue Team though, and there I always start with something harmless as an exploit proof of concept before executing something that mutates data. Again, with server logs it might be possible to see if there were some odder requests being sent from the same IP -- a lot of times people just try a lot of requests and see if any of them get through. Certain security mistakes are distressingly common.
Anyway I can tell you that this kind of attack will not succeed, but also that reporting it to Miraheze staff was the right thing to do anyway. And if I were trying to hack, I'd ignore wiki pages and concentrate almost exclusively on the extensions. Wikimedia security is generally pretty hard, because Wikipedia is a big fat target. But all of this extension code written by randos (very nice randos giving free code, I may add) is much more likely to have a bug we missed in security review. Drive-by (ostensible) attacks like this past one won't succeed, but I think a more focused attack could. It's all about whether the hostile actor really gets the threat model, or if he's just after easy pickings.
"Kitto daijoubu da yo." - Sakura Kinomoto