Change Request -- mediawiki auth plugin

[Nigel Jones]

+1

IIRC we needed this at the time of deployment (was it before the wildcard?), but it certainly seems to not be an issue now.

- Nigel
----- "Toshio Kuratomi" <a.badger at gmail.com> wrote:

> Toshio Kuratomi wrote:
> > The Mediawiki auth plugin has to contact admin.fedoraproject.org in
> > order to lookup the users and verify their passwords.  It's using
> curl
> > to do so.  One of the options being given to curl is the following:
> > 
> >   # This is only required because of the wildcard cert on pt10
> >   curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> > 
> > That turns off verifying the host via SSL.  From the comment it
> appears
> > to only be needed with the test FAS server.  I'd like to comment
> this
> > line out.
> > 
> > This is a flaw that potentially opens us to a DNS spoofing attack
> to
> > compromise authentication.  Luckily for us, there is a problem with
> > routing to admin.fedoraproject.org within PHX so we have an
> /etc/hosts
> > entry for admin.fp.o that directs the wiki to use an internal IP
> > address.  That means for this flaw to affect us, someone would have
> to
> > compromise the /etc/hosts files rather than a DNS server.  So we
> should
> > fix this but compromising it is not as easy.
> > 
> > If this fails, we will see authentication failures when we try to
> login
> > to the wiki and can revert.
> > 
> After looking at this a little more with G, there's two settings to
> toggle:
> 
> CURLOPT_SSL_VERIFYPEER
> CURLOPT_SSL_VERIFYHOST
> 
> They're both set to off right now and I'd like to turn them both back
> on.  Tested with a small php script that turning them on doesn't
> interfere with retrieving data.
> 
> > Can I get a couple +1's?
> 
> -Toshio
> 
> 
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list