Change Request -- mediawiki auth plugin
Mike McGrath
mmcgrath at redhat.com
Fri Jan 30 23:45:14 UTC 2009
On Fri, 30 Jan 2009, Toshio Kuratomi wrote:
> Toshio Kuratomi wrote:
> > The Mediawiki auth plugin has to contact admin.fedoraproject.org in
> > order to lookup the users and verify their passwords. It's using curl
> > to do so. One of the options being given to curl is the following:
> >
> > # This is only required because of the wildcard cert on pt10
> > curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> >
> > That turns off verifying the host via SSL. From the comment it appears
> > to only be needed with the test FAS server. I'd like to comment this
> > line out.
> >
> > This is a flaw that potentially opens us to a DNS spoofing attack to
> > compromise authentication. Luckily for us, there is a problem with
> > routing to admin.fedoraproject.org within PHX so we have an /etc/hosts
> > entry for admin.fp.o that directs the wiki to use an internal IP
> > address. That means for this flaw to affect us, someone would have to
> > compromise the /etc/hosts files rather than a DNS server. So we should
> > fix this but compromising it is not as easy.
> >
> > If this fails, we will see authentication failures when we try to login
> > to the wiki and can revert.
> >
> After looking at this a little more with G, there's two settings to toggle:
>
> CURLOPT_SSL_VERIFYPEER
> CURLOPT_SSL_VERIFYHOST
>
> They're both set to off right now and I'd like to turn them both back
> on. Tested with a small php script that turning them on doesn't
> interfere with retrieving data.
>
> > Can I get a couple +1's?
>
+1 from me.
-Mike
More information about the infrastructure
mailing list