On Sun, Sep 18, 2011 at 7:07 PM, bawolff bawolff+wn@gmail.com wrote:
Anthony wrote:
It does not involve generating hash collisions, but it involves finding various bugs in mediawiki and using them to vandalise, often by injecting javascript. The best description I could find was at Encyclopedia Dramatica, which seems to be taken down (there's a cache if you do a google search for "grawp wikipedia"). There's also a description at http://en.wikipedia.org/wiki/User:Grawp , which does not do justice to the "mad hacker skillz" of this individual and his intent on finding bugs in mediawiki and exploiting them.
Say what? Being able to inject js is a very serious vulnerability. If he's doing this, why haven't I seen any security releases triggered by a vandal finding an XSS? has no one reported it?
I have no idea. How long have you been reading the release notes? This was a few years ago that this happened to me, and the software I was using was probably a year or two old.
I didn't investigate into the details of the bug. I didn't have the time to do that, which is why I just took the site down rather than bother.
The pages you link to seem to indicate he's nothing more than a willy-on-wheels type vandal, who at worst tricked an admin into doing a delete of a page with a very high number of revisions making the server kittens cry for a moment. There's no indication he has "mad hacker skillz" in any way or form (and given the tone of that Encyclopedia Dramatica page, I assume they'd be bragging about it if he did).
As I said, I couldn't find a page which described it in detail. Maybe if you look at archive.org?