The Mediawiki auth plugin has to contact
admin.fedoraproject.org in
order to lookup the users and verify their passwords. It's using curl
to do so. One of the options being given to curl is the following:
# This is only required because of the wildcard cert on pt10
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
That turns off verifying the host via SSL. From the comment it appears
to only be needed with the test FAS server. I'd like to comment this
line out.
This is a flaw that potentially opens us to a DNS spoofing attack to
compromise authentication. Luckily for us, there is a problem with
routing to
admin.fedoraproject.org within PHX so we have an /etc/hosts
entry for admin.fp.o that directs the wiki to use an internal IP
address. That means for this flaw to affect us, someone would have to
compromise the /etc/hosts files rather than a DNS server. So we should
fix this but compromising it is not as easy.
If this fails, we will see authentication failures when we try to login
to the wiki and can revert.
Can I get a couple +1's?
-Toshio