On Wed, Sep 16, 2009 at 11:14 AM, Aryeh Gregor < Simetrical+wikilist@gmail.com Simetrical%2Bwikilist@gmail.com> wrote:
On Tue, Sep 15, 2009 at 6:40 PM, Anthony wikimail@inbox.org wrote:
There are. You didn't want us to describe them in our article, did you?
All nontrivial software has unknown security vulnerabilities.
Fine, I'm willing to leave it at that. I just felt the need to defend Judd (and, as a board member of the non-profit which published the blog article, myself) against a claim of lying in a blog post.
It should be noted, though, that actual demonstrated risk is probably more important to users than theoretical patch response times. For whatever reason, attacks on MediaWiki seem to be comparatively rare.
I think the "soft security" model is oftentimes a good one. It certainly blurs the lines between what is a "security breach" and what is vandalism, and gives the script kiddies something to do which doesn't constitute a true security breach.
I would be interested in hearing of any real-world attacks anyone knows of -- there must have been *some*, but I've never heard of one.
The only one I can think of that I know of directly would be the IP spoofing one where the attacker pretended to be a proxy and sent a false "IP forwarded" or whatever.
But indirectly I know of many "Grawp" exploits. I guess I know of one of those directly, which is whatever I got hit with on my Mediawiki installation. I never investigated what specifically it was, though.
There's also various forms of nasty once-upon-a-time unrecoverable vandalism like moving a page on top of another which arguably aren't security holes but arguably *are* security holes in the form of design flaws.