Le 26/06/2014 17:03, Andre Klapper a écrit :
I have seen several 'bug reports' in Mozilla
Bugzilla by 'security
researchers' about source code of projects being exposed on Mozilla's
servers. Clearly a security breach. What does "FOSS" stand for?
So it boils down to "how to keep clueless people out", to be rough.
Eons ago, we had a couple security experts that paid us a visit to the
then very young #mediawiki .
They were willing to help us by auditing the code security and already
found a pretty nasty bug that could be a vector of attacks for other
website.
It was possible to inject in an uploaded image any arbitrary code such
as javascript (enclosed in <script>) then embed that image on another
site and point a victim at it.
Damn. Wikipedia, a few years old, has been a serious threat to the
internet. We were shocked and took the matter very "seriously".
Then it was either Brion or Tim that showed up and wrote something like:
Your attack vector is too complicated. Just paste the JavaScript to any
page by pressing [edit].
Two security experts promptly disappeared.
--
Antoine "hashar" Musso