On 12/06/13 05:16, Ingo Malchow wrote:
Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
Indeed, it'd be pretty hard to do. Since we use git, anyone trying to sneak something in would break history and likely get noticed.
That is not entirely true. Considering the live website is at best a git clone and not the main git repo (or just an automatic mirror of the git sources), all you'd need to get is access to the server, and secretly modifying the live sources. You could also set up a git merge hook, where git are pulled and on top of that applies your backdoor again, so the sysadmins won't notice in first place. No git commits involved here. Just food for thoughts ;)
Like Brion said, this is the MediaWiki list, so what you can do on a single live website is not really relevant.
It would probably be possible to insert a back door into MediaWiki, in the form of a non-obvious arbitrary script execution vulnerability. If it was done with care, by an agent planted long in advance, it would look like an honest mistake, if it was detected. But if I was running the CIA/NSA/FBI, I could imagine more interesting places to put agents.
-- Tim Starling