Brion Vibber brion@pobox.com writes:
Last night someone hacked the password of one of the French Wikipedia sysops, Youssefsan. (Using IP 217.144.0.5, possibly a proxy?)
Seems to be a jordanian IP-range: Process query: '217.144.0.5' Query recognized as IP. Querying whois.ripe.net:43 with whois.
% This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 217.144.0.0 - 217.144.6.255 netname: NEXTJO descr: Network Exchange Technology descr: Farah Trading & Contracting Co. descr: P.O.Box 510449, Amman 11151 Jordan country: JO admin-c: MF13297-RIPE tech-c: MF16025-RIPE status: ASSIGNED PA notify: mohammad_farraj@hotmail.com mnt-by: RIPE-NCC-NONE-MNT changed: mohammad_farraj@hotmail.com 20021120 source: RIPE
I've changed the sysop's SQL query to use a separate mysql user account which has read-only access and isn't allowed to read the email and password fields of the user table, which should close the 'malicious sysop' hole. (However, developers still have full access.)
fine :-) However, the general problem of stored passwords remains. It would be inconvenient for sysops but maybe better in regard to security to generally prohibit storing sysop and developer passwords in permanent cookies and maybe force a password change from time to time.
greetings, elian