[OpenStack-Infra] Wiki.o.o sustaining spam attack
James E. Blair
corvus at inaugust.com
Fri Feb 12 17:34:21 UTC 2016
Jeremy Stanley <fungi at yuggoth.org> writes:
> On 2016-02-12 17:09:12 +0000 (+0000), Jeremy Stanley wrote:
>> Wow! That's interesting. I wonder if there's an auth hole in the
>> mobile browser support in Mediawiki? If you try to log in with a
>> normal browser it sends you to login.launchpad.net to do OpenID
>> authentication.
>
> It does indeed look like Mediawiki "Mobile View" uses standard
> password authentication and not the OpenID authentication we force
> for the normal "Desktop View." The account creation process for it
> at
> <URL:
> https://wiki.openstack.org/w/index.php?title=Special:UserLogin&type=signup&returnto=Main+Page&returntoquery=campaign%3DleftNavSignup
>>
> prompts for a "secret word" so if that's something
> default/discoverable/guessable then I suppose this is a trivial
> bypass of our OpenID restriction. Anybody happen to be familiar with
> this? I'm inclined to figure out how to disable the mobile view
> until someone has time to research and fix it to use OpenID
> exclusively.
I spot-checked three of the spammer accounts in the db; they had
launchpad OpenID accounts.
-Jim
More information about the OpenStack-Infra
mailing list