[01:12:25] <kevindank>	 Hello, im having a spam issue that is causing the site to redirect users upon page load on mobile
[01:12:40] <kevindank>	 i believe its due to a sql injection but im unsure which table to look at
[01:28:21] <kevindank>	 .j #mysql
[02:21:44] <kevindank>	 is there a specific table i should look at for that sql injection?
[02:43:42] <kevindank>	 https://stackoverflow.com/questions/53815013/wordpress-website-redirecting-to-sslgateway-com is what im getting
[02:43:50] <kevindank>	 but on my mw instal
[07:46:10] <doebi>	 heyho. i need to rename a bunch of users. 8 in total, 4 of which have edits. is it safe to do directly in the database or should i install the extensions?
[07:57:51] <legoktm>	 doebi: you should really use the Renameuser extension
[07:58:30] <doebi>	 legoktm: alright, thanks
[07:58:57] <doebi>	 i already deleted those with no edits^^
[08:13:02] <doebi>	 can i hide special paes from public?
[08:52:13] <jubo2>	 doebi: how does one delete users with no edits safely?
[08:53:29] <jubo2>	 I got a wiki that got hit by a mass of bot account registrations in 2010 and a few other times (before I installed the extension that makes people request an account, rather than just create a (ton of) account(s)
[09:50:00] <p858snake>	 !usermerge jubo2
[09:50:25] <jubo2>	 resident bot not working?
[09:50:42] <p858snake>	 jubo2: https://www.mediawiki.org/wiki/Extension:UserMerge is probably the safest way
[09:50:50] <jubo2>	 Cheers p858snake
[09:50:57] <p858snake>	 just merge them all into a single account
[09:50:58] <jubo2>	 You are a helpful fellow
[09:53:05] <jubo2>	 p858snake: the problem is just that there are like 64k bot regged accounts (and about ~ 120 real human regged accounts)
[10:31:55] <doebi>	 i just did a "delete from user where user_id=123" directly in the db. didn't cause any problems so far
[13:30:20] <kevindank>	 Hello, Im experiencing a sql injection that is basically showing when users visit special:Recentchanges on mobile devices.  It redirects to a specific website.  its similar to the wordpress attack listed here: https://stackoverflow.com/questions/53815013/wordpress-website-redirecting-to-sslgateway-com im unsure if theres a specific table i should be looking at?
[13:30:25] <kevindank>	 or if anyone knows of a waw to fix.
[13:46:48] <kevindank>	 its also weird that the sql injection redirect is only showing on mobile and only on special:Recentchanges
[13:47:03] <kevindank>	 i looked at the table structure but i dont understand where this may be residing in the db
[13:53:49] <bawolff>	 kevindank: What makes you think its an sql injection
[13:53:49] <bawolff>	 As opposed to some other style of attack
[13:55:19] <bawolff>	 kevindank: On mobile - I assume that means only when mobilefrontend is activated?
[13:55:28] <kevindank>	 mobilefrontend is not installed or activated
[13:55:58] <kevindank>	 it doesnt even occur when you use a desktop and resize the screen to mobile view...only on mobile devices when you visit special:recentchanges
[13:56:31] <kevindank>	 im assuming its a sql injection because from research it looks like on wordpress that it uses the same url sslgateawys and injects it into the db.
[13:59:14] <andre__>	 kevindank: I could only reproduce this once on that website, but closing my private browser session and going to that website again, it does not happen anymore. Weird.
[14:00:26] <andre__>	 kevindank: That site tries to load stuff from adsonflags.com and content-ad.net, is that intentional?
[14:01:59] <kevindank>	 im assuming its sometype of javascript that detects your device type and then redirects based off that
[14:02:41] <kevindank>	 right now im going through every db table and just manually trying to look for sslgateway or any javascript type injection but im not having much luck and this db is huge
[14:02:46] <bawolff>	 I would start by trying to eliminate things - f
[14:03:18] <bawolff>	 Irst i would check no php files have been modified
[14:05:58] <bawolff>	 E.g. using a tool like diff -r
[14:06:19] <andre__>	 kevindank: For the records, there is also weird JS injected by Cloudflare under /cdn-cgi/apps/head/SEnd_iQWpRi1rDuyjVCSSAq6RVw.js on that site
[14:06:33] <andre__>	 Might also be your hosting service going unintentionally nuts.
[14:06:46] <bawolff>	 For db - id suggest starting with objectcache table. Note it might be gziped in db
[14:08:45] <bawolff_>	 If you could capture the malicious html that gets returned, that might help narrow things down
[14:09:05] <kevindank>	 bawolff_: objectcache is empty
[14:09:31] <kevindank>	 bawolff_ :https://stackoverflow.com/questions/53815013/wordpress-website-redirecting-to-sslgateway-com 
[14:09:31] <bawolff_>	 Its also possible that something malicious is in the apcu or memcached stores (if you use those)
[14:09:46] <kevindank>	 this is what its doing and theres the text, but thats centered around wordpress
[14:10:29] <bawolff_>	 I mean specificly the full html in your case. E.g. whether the <script> is inserted in the middle of the page or at the beginning or end, could help maybe tell what part of the system the malicious person compromised
[14:11:53] <bawolff_>	 Another place to look for in the db, would be the rc_params column of recentchanges table (and related log_params of logging table). These use serialized php, so they are a bit more high risk
[14:16:28] <bawolff_>	 N3X15: We actually do have support for comments in our json backend, we just decided not to use it for some reason I think
[14:22:10] <bawolff_>	 So you have various advertisements on your site, I guess there's a possibility its malvertising
[14:23:00] <bawolff_>	 Ideal situation would be if you could capture a HAR file of the redirect, but that may be hard without it consistently happening
[14:23:04] <kevindank>	 Yeah, thats possible as well
[14:27:12] <kevindank>	 site is using apc cache
[14:30:47] <kevindank>	 is there a way for me to rule out if its the db?
[14:31:04] <kevindank>	 like could i just create a new db, load it and see if the issue persists?
[14:34:31] <bawolff_>	 Hmm, i did manage to capture a HAR of the redirect
[14:34:41] <bawolff_>	 Now i just need to figure out how to interpret that
[14:39:51] <kevindank>	 looking at the view source code at javascript, i see revcontent but i think thats an ad service?
[14:50:13] <kevindank>	 and is it possible to block the link on my servers host file?
[14:53:43] <bawolff_>	 The hosts file only works for the current computer
[14:54:05] <bawolff_>	 In the interest of eliminating possibilities, could you disable all your advertisers and see if that makes the problem go away?
[14:54:49] <kevindank>	 yep
[14:55:03] <kevindank>	 i need to get access to the fileserver, right now i only have access to the db server
[16:29:46] <Bombo>	 hi
[16:31:46] <Bombo>	 i set $wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['read'] = false; so no one can see the content without an account, but now it's not possible to create one, can it be done somehow? 
[16:33:08] <Bombo>	 like this: user visits wiki, sees no content 'to see content you need to have an account', clicks 'create account', auths via mail, logs in, sees content 
[16:39:17] <andre__>	 Bombo: What happens if you try to create a new account?
[17:02:48] <Bombo>	 andre__: it says 'you need to login to see this page' ;)
[17:04:20] <Skizzerz>	 Bombo: try adding $wgWhitelistRead[] = 'Special:CreateAccount';
[17:07:00] <andre__>	 I wonder if that is clear enough on https://www.mediawiki.org/wiki/Manual:Preventing_access#Restrict_viewing
[17:08:01] <Skizzerz>	 doesn't even seem to be mentioned htere
[17:08:02] <Skizzerz>	 *there
[17:08:31] <Bombo>	 Skizzerz: yes that worked! i had to add the german version 'Spezial:Benutzerkonto_anlegen' though
[17:08:38] <Skizzerz>	 ah yes
[17:09:25] <andre__>	 please feel free to extend the docs :)
[17:10:25] <Skizzerz>	 or we could make the default whitelist sane :P
[17:10:45] <Skizzerz>	 although... our config system isn't equipped for conditionally setting configs at the moment
[17:15:01] <Bombo>	 thx Skizzerz, indeed someone should add that to the page ;)
[17:18:43] <bawolff>	 I would expect it to check both english and localized names
[17:20:00] <bawolff>	 Guess it doesnt. That seems silly
[19:46:20] <legoktm>	 [10:10:45] <Skizzerz> although... our config system isn't equipped for conditionally setting configs at the moment <-- there's a hook for it where its more straightforwad to add localized special pages
[19:47:27] <Skizzerz>	 legoktm: I mean things like "add Special:RunJobs to whitelist automatically if $wgJobRunRate is nonzero"
[19:48:15] <Skizzerz>	 or "add Special:CreateAccount to whitelist automatically if $wgGroupPermissions['*']['createaccount'] = true"
[19:48:29] <legoktm>	 we should do those in core automatically as a DWIM thing
[19:48:51] <Skizzerz>	 both of those depend on config set in LocalSettings, but ideally we'd also let LocalSettings override those checks if the admin really did intend for that specific behavior
[19:49:10] <legoktm>	 there's no downside to whitelisting RunJobs since it's already protected behind a different key
[19:49:30] <Skizzerz>	 and largely no downside to whitelisting CreateAccount if there's no privs to do it either, I suppose
[20:06:30] <Hispano76>	 hi
[20:06:41] <legoktm>	 Skizzerz: also if you have time, I would appreciate a +2 on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/StopForumSpam/+/492762
[20:07:12] <Hispano76>	 https://www.mediawiki.org/wiki/Topic:Utl1hr569671xomg anything new?
[20:07:21] <Hispano76>	 :(
[20:14:07] <Skizzerz>	 legoktm: is that suppression correct? We should possibly be checking for that return value
[20:14:33] <legoktm>	 Skizzerz: the CSV one?
[20:14:37] <Skizzerz>	 yeah
[20:15:15] <Skizzerz>	 I added a comment to the existing thread (in PS1) regarding the purpose of the check that's already there
[20:15:17] <legoktm>	 https://secure.php.net/manual/en/function.fgetcsv.php is documented to always return an array
[20:15:33] <Skizzerz>	 "fgetcsv() returns NULL if an invalid handle is supplied or FALSE on other errors, including end of file. "
[20:15:44] <Skizzerz>	 it can be boolean false as well
[20:16:03] <legoktm>	 okay
[20:16:06] <Skizzerz>	 (or null, but that can't really ever happen I think? Since invalid handle would fail at the while loop before it gets to fgetcsv)
[20:16:38] <legoktm>	 well end of file should break the while loop with the feof()
[20:17:04] <Skizzerz>	 yeah but it says "other errors, including end of file". As in, there are errors that are not EOF which cause a boolean false return
[20:17:10] <legoktm>	 I guess we can sanity check and throw an exception?
[20:17:10] <Skizzerz>	 at least, that's the implication I get from it
[20:17:37] <Skizzerz>	 probably best?
[20:18:31] <Skizzerz>	 anyway, afk for a bit
[21:03:49] <Nemo_bis>	 someone needs help with Solr https://github.com/freelawproject/courtlistener/issues/939