yuanml wrote:
as [[User:formulax]] mentioned in
http://mail.wikipedia.org/pipermail/wikipedia-l/2004-September/017409.html
The guy called [[User:Yaohua2000]] today upload a text file, in which
contains passwords of some users, to threaten us. we deleted the file
immediately. but the situation seems very dangerous for us now, one
can steal the password of our users.
The flood vandalism in Zh: serveral months ago was took by
[[User:Yaohua2000]]. This guy seems to be very clever but very evil
also.
There was really never any need to send out password hashes in cookies.
I made a quick patch to send out randomly generated tokens instead,
which have no relationship to the password.
Domas Mituzas wrote:
That user discovered the bug and reported it in
#mediawiki. The best
solution would be serve downloads from a separate domain, so project
cookies would not affect.
There are stacks of methods which allow attackers to obtain cookies, we
discover them and fix them all the time. It's best if we minimise the
consequences.
-- Tim Starling