On Wed, Sep 16, 2009 at 11:14 AM, Aryeh Gregor <
Simetrical+wikilist(a)gmail.com <Simetrical%2Bwikilist(a)gmail.com>> wrote:
On Tue, Sep 15, 2009 at 6:40 PM, Anthony
<wikimail(a)inbox.org> wrote:
There are. You didn't want us to describe
them in our article, did you?
All nontrivial software has unknown security vulnerabilities.
Fine, I'm willing to leave it at that. I just felt the need to defend Judd
(and, as a board member of the non-profit which published the blog article,
myself) against a claim of lying in a blog post.
It should be noted, though, that actual demonstrated
risk is probably
more important to users than theoretical patch response times. For
whatever reason, attacks on MediaWiki seem to be comparatively rare.
I think the "soft security" model is oftentimes a good one. It certainly
blurs the lines between what is a "security breach" and what is vandalism,
and gives the script kiddies something to do which doesn't constitute a true
security breach.
I would be interested in hearing of any real-world
attacks anyone
knows of -- there must have been *some*, but I've never heard of one.
The only one I can think of that I know of directly would be the IP spoofing
one where the attacker pretended to be a proxy and sent a false "IP
forwarded" or whatever.
But indirectly I know of many "Grawp" exploits. I guess I know of one of
those directly, which is whatever I got hit with on my Mediawiki
installation. I never investigated what specifically it was, though.
There's also various forms of nasty once-upon-a-time unrecoverable vandalism
like moving a page on top of another which arguably aren't security holes
but arguably *are* security holes in the form of design flaws.