[OpenStack-Infra] Wiki.o.o sustaining spam attack
Jeremy Stanley
fungi at yuggoth.org
Fri Feb 12 17:15:39 UTC 2016
On 2016-02-12 17:09:12 +0000 (+0000), Jeremy Stanley wrote:
> Wow! That's interesting. I wonder if there's an auth hole in the
> mobile browser support in Mediawiki? If you try to log in with a
> normal browser it sends you to login.launchpad.net to do OpenID
> authentication.
It does indeed look like Mediawiki "Mobile View" uses standard
password authentication and not the OpenID authentication we force
for the normal "Desktop View." The account creation process for it
at
<URL: https://wiki.openstack.org/w/index.php?title=Special:UserLogin&type=signup&returnto=Main+Page&returntoquery=campaign%3DleftNavSignup >
prompts for a "secret word" so if that's something
default/discoverable/guessable then I suppose this is a trivial
bypass of our OpenID restriction. Anybody happen to be familiar with
this? I'm inclined to figure out how to disable the mobile view
until someone has time to research and fix it to use OpenID
exclusively.
--
Jeremy Stanley
More information about the OpenStack-Infra
mailing list