Le 26/06/2014 17:03, Andre Klapper a écrit :
I have seen several 'bug reports' in Mozilla Bugzilla by 'security researchers' about source code of projects being exposed on Mozilla's servers. Clearly a security breach. What does "FOSS" stand for?
So it boils down to "how to keep clueless people out", to be rough.
Eons ago, we had a couple security experts that paid us a visit to the then very young #mediawiki .
They were willing to help us by auditing the code security and already found a pretty nasty bug that could be a vector of attacks for other website.
It was possible to inject in an uploaded image any arbitrary code such as javascript (enclosed in <script>) then embed that image on another site and point a victim at it.
Damn. Wikipedia, a few years old, has been a serious threat to the internet. We were shocked and took the matter very "seriously".
Then it was either Brion or Tim that showed up and wrote something like:
Your attack vector is too complicated. Just paste the JavaScript to any page by pressing [edit].
Two security experts promptly disappeared.