Change Request -- mediawiki auth plugin
Toshio Kuratomi
a.badger at gmail.com
Fri Jan 30 21:46:22 UTC 2009
The Mediawiki auth plugin has to contact admin.fedoraproject.org in
order to lookup the users and verify their passwords. It's using curl
to do so. One of the options being given to curl is the following:
# This is only required because of the wildcard cert on pt10
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
That turns off verifying the host via SSL. From the comment it appears
to only be needed with the test FAS server. I'd like to comment this
line out.
This is a flaw that potentially opens us to a DNS spoofing attack to
compromise authentication. Luckily for us, there is a problem with
routing to admin.fedoraproject.org within PHX so we have an /etc/hosts
entry for admin.fp.o that directs the wiki to use an internal IP
address. That means for this flaw to affect us, someone would have to
compromise the /etc/hosts files rather than a DNS server. So we should
fix this but compromising it is not as easy.
If this fails, we will see authentication failures when we try to login
to the wiki and can revert.
Can I get a couple +1's?
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090130/335dcd04/attachment.bin
More information about the infrastructure
mailing list