As an alternative, please send details of the exploit to the security list,
or just file a security bug.
On Sep 30, 2015 13:03, "John" <phoenixoverride(a)gmail.com> wrote:
Can you provide any documentation on the details of
this exploit?
On Wed, Sep 30, 2015 at 12:50 PM, Daniel Friesen <
daniel(a)nadir-seen-fire.com
wrote:
> Bug? There is nothing that can be fixed.
>
> You just have to accept that as long as the login page is on the same
> domain as site scripts, there is no way to stop those scripts from
> controlling the login page.
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
>
> On 2015-09-30 9:33 AM, Tyler Romeo wrote:
> > Is there a bug filed for that?
> > On Sep 30, 2015 12:13, "Daniel Friesen"
<daniel(a)nadir-seen-fire.com>
wrote:
> >
> >> On 2015-09-30 8:48 AM, Chris Steipp wrote:
> >>> * We disable site and user .js on Special:UserLogin, so a malicious
> admin
> >>> can't add password sniffing javascript to the login page
> >> Note that you can make use of pushState to render this protection moot
> >> for anyone who clicks the login link instead of directly visiting
> >> UserLogin page. Which is practically everyone.
> >>
> >> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l