On 12/06/13 05:16, Ingo Malchow wrote:
Am Dienstag, 11. Juni 2013, 14:42:36 schrieb Chad:
Indeed, it'd be pretty hard to do. Since we
use git, anyone trying to sneak
something in would break history and likely get noticed.
That is not entirely true. Considering the live website is at best a git clone
and not the main git repo (or just an automatic mirror of the git sources),
all you'd need to get is access to the server, and secretly modifying the live
sources. You could also set up a git merge hook, where git are pulled and on
top of that applies your backdoor again, so the sysadmins won't notice in first
place.
No git commits involved here.
Just food for thoughts ;)
Like Brion said, this is the MediaWiki list, so what you can do on a
single live website is not really relevant.
It would probably be possible to insert a back door into MediaWiki, in
the form of a non-obvious arbitrary script execution vulnerability. If
it was done with care, by an agent planted long in advance, it would
look like an honest mistake, if it was detected. But if I was running
the CIA/NSA/FBI, I could imagine more interesting places to put agents.
-- Tim Starling